Live Threat Map
The Mobile Security Framework (MobSF), a widely used pen-testing, malware analysis, and security assessment framework, has been found to contain a critical input validation flaw that could lead to server-side request forgery (SSRF) attacks.
The vulnerability, tracked as CVE-2024-29190, affects MobSF version 3.9.5 Beta and prior.
Understanding the Vulnerability: CVE-2024-29190
While investigating the “App Link assetlinks.json file could not be found” vulnerability, the Trendyol Application Security team discovered that MobSF sends a GET request to the “/.well-known/assetlinks.json” endpoint for all hosts specified with “android: host” in the AndroidManifest.xml file.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
However, due to a lack of input validation when extracting hostnames from the android: host attribute, MobSF could inadvertently send requests to local hostnames, potentially leading to SSRF.
GitHub has recently published a blog post regarding a Server-Side Request Forgery (SSRF) vulnerability that affects the assetlinks_check functionality.
Technical Breakdown
Example of Vulnerable Configuration
XML
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>The android: host is defined as “192.168.1.102/user/delete/1#” in the example above.
Including the “#” character at the host’s end is critical as it prevents requests from being sent to the “/.well-known/assetlinks.json” endpoint, ensuring that requests are sent to the specified endpoint before it.
Proof of Concept (PoC)
A proof of concept video demonstrating the SSRF vulnerability has been made available by the Trendyol Application Security team.
The SSRF vulnerability poses a significant risk as it allows an attacker to cause the server to make unauthorized connections to internal-only services within an organization’s infrastructure.
This could lead to the exposure of sensitive internal systems and data.
Mitigation and Hotfix
A hotfix for this issue has been implemented in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
Users of MobSF are urged to update to the latest version to mitigate the risk associated with CVE-2024-29190.
The discovery of CVE-2024-29190 highlights the importance of thorough input validation in software development, especially in security-critical applications like MobSF.
Organizations relying on MobSF for their security assessments should take immediate action to apply the hotfix and protect their infrastructure from potential SSRF attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Read the full article here
