Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (iOS/Android/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. Developers, security researchers, and other enthusiasts in the field of mobile applications rely on MobSF to identify and fix vulnerabilities in their mobile apps.

Vulnerability Details

In this post, we will discuss a yet overlooked server-side request forgery (SSRF) vulnerability in MobSF that impacts versions prior to 3.9.7 and is a bypass of the fix for CVE-2024-29190. This SSRF vulnerability resides in the _check_url method, where the requests.get() request is specified as allow_redirects=True. This allows an attacker to exploit the vulnerability when a request to ".well-known/assetlinks.json" returns a 302 redirect.

The following code snippet shows the vulnerable _check_url method from the affected versions

def _check_url(self, url: str, kwargs: Dict) -> Dict:
    try:
        resp = requests.get(url, **kwargs, allow_redirects=True)
        ...
    except Exception:
        ...

Exploit Description

An attacker having control over a server hosting ".well-known/assetlinks.json" file can perform a 302 redirect to an internal URL or an external unsafe URL, leading to SSRF. This can result in unauthorized access to sensitive data, information disclosure, or potentially remote code execution.

An sample of the attacker-controlled ".well-known/assetlinks.json" file

HTTP/1.1 302 Found
Location: http://{Local_or_Unsafe_URL}/data
Content-Type: application/json

// Any additional payload data

As MobSF automatically follows the redirect in the above example, the remote server-side request forgery could be used to bypass the previous patch and exploit the SSRF in an easy and efficient manner.

Affected Versions

MobSF versions prior to 3.9.7 are affected by this vulnerability. It is strongly recommended that users upgrade to version 3.9.7 or later to mitigate the risk of exploitation.

> Note: The vulnerability is fixed in MobSF 3.9.7. You can find the official list of MobSF releases here.

Conclusion

CVE-2024-54000 is a critical server-side request forgery vulnerability in Mobile Security Framework (MobSF) that affects versions prior to 3.9.7. Developers and security researchers using MobSF should update their installations to the latest version as soon as possible to protect against this vulnerability. An attacker-controlled server hosting ".well-known/assetlinks.json" file can use a 302 redirect in this SSRF vulnerability, potentially leading to unauthorized access, information disclosure, or remote code execution.

References

- Mobile Security Framework (MobSF) GitHub Repository
- MobSF Release 3.9.7
- CVE-2024-29190 NVD Details

Timeline

Published on: 12/03/2024 16:15:24 UTC