The Mobile Security Framework (MobSF), a widely used pen-testing, malware analysis, and security assessment framework, has been found to contain a critical input validation flaw that could lead to server-side request forgery (SSRF) attacks.
The vulnerability, tracked as CVE-2024-29190, affects MobSF version 3.9.5 Beta and prior.
Understanding the Vulnerability: CVE-2024-29190
While investigating the “App Link assetlinks.json file could not be found” vulnerability, the Trendyol Application Security team discovered that MobSF sends a GET request to the “/.well-known/assetlinks.json” endpoint for all hosts specified with “android: host” in the AndroidManifest.xml file.
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
-
The problem of vulnerability fatigue today
-
Difference between CVSS-specific vulnerability vs risk-based vulnerability
-
Evaluating vulnerabilities based on the business impact/risk
-
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
However, due to a lack of input validation when extracting hostnames from the android: host attribute, MobSF could inadvertently send requests to local hostnames, potentially leading to SSRF.
GitHub has recently published a blog post regarding a Server-Side Request Forgery (SSRF)vulnerabilitythat affects the assetlinks_check functionality.
Technical Breakdown
Example of Vulnerable Configuration
XML
`<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>`
The android: host is defined as “192.168.1.102/user/delete/1#” in the example above.
Including the “#” character at the host’s end is critical as it prevents requests from being sent to the “/.well-known/assetlinks.json” endpoint, ensuring that requests are sent to the specified endpoint before it.
Proof of Concept (PoC)
A proof of concept videodemonstrating the SSRF vulnerability has been made available by the Trendyol Application Security team.
The SSRF vulnerability poses a significant risk as it allows an attacker to cause the server to make unauthorized connections to internal-only services within an organization’s infrastructure.
This could lead to the exposure of sensitive internal systems and data.
Mitigation and Hotfix
A hotfix for this issue has been implemented in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
Users of MobSF are urged to update to the latest version to mitigate the risk associated with CVE-2024-29190.
The discovery of CVE-2024-29190 highlights the importance of thorough input validation in software development, especially in security-critical applications like MobSF.
Organizations relying on MobSF for their security assessments should take immediate action to apply the hotfix and protect their infrastructure from potential SSRF attacks.
