MobSF Pen-Testing Tool Input Validation Flaw Leads to SSRF
The Mobile Security Framework (MobSF), a broadly used pen-testing, malware analysis, and safety overview framework, has been found to hang a severe enter validation flaw that can result in server-facet search information from forgery (SSRF) assaults.
The vulnerability, tracked as CVE-2024-29190, affects MobSF version 3.9.5 Beta and prior.
Idea the Vulnerability: CVE-2024-29190
While investigating the “App Hyperlink assetlinks.json file might well no longer be found” vulnerability, the Trendyol Application Security workers discovered that MobSF sends a GET search information from to the “/.successfully-identified/assetlinks.json” endpoint for all hosts specified with “android: host” in the AndroidManifest.xml file.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as safety teams must triage 100s of vulnerabilities. :
- The roar of vulnerability fatigue nowadays
- Incompatibility between CVSS-explicit vulnerability vs possibility-basically based fully vulnerability
- Evaluating vulnerabilities in accordance to the industry impact/possibility
- Automation to diminish alert fatigue and crimson meat up safety posture tremendously
AcuRisQ, which capability that you just can quantify possibility accurately:
On the different hand, attributable to a lack of enter validation when extracting hostnames from the android: host attribute, MobSF might well inadvertently send requests to local hostnames, doubtlessly leading to SSRF.
GitHub has recently printed a weblog put up concerning a Server-Facet Build a matter to Forgery (SSRF) vulnerability that has effects on the assetlinks_check functionality.
Technical Breakdown
Example of Vulnerable Configuration
XML
The android: host is defined as “192.168.1.102/client/delete/1#” in the example above.
Collectively with the “#” character on the host’s cease is severe as it prevents requests from being despatched to the “/.successfully-identified/assetlinks.json” endpoint, guaranteeing that requests are despatched to the specified endpoint sooner than it.
Proof of Principle (PoC)
A proof of idea video demonstrating the SSRF vulnerability has been made available by the Trendyol Application Security workers.
The SSRF vulnerability poses a famous possibility as it permits an attacker to cause the server to invent unauthorized connections to interior-easiest companies inside of an group’s infrastructure.
This might maybe result in the exposure of quiet interior methods and records.
Mitigation and Hotfix
A hotfix for this subject has been completed in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
Customers of MobSF are urged to change to the most up-to-date version to mitigate the probability connected to CVE-2024-29190.
The discovery of CVE-2024-29190 highlights the importance of thorough enter validation in application construction, seriously in safety-severe functions love MobSF.
Organizations counting on MobSF for his or her safety assessments might maybe just gathered take immediate traipse to utilize the hotfix and defend their infrastructure from doable SSRF assaults.
Preserve updated on Cybersecurity news, Whitepapers, and Infographics. Observe us on LinkedIn & Twitter.
Source credit : cybersecuritynews.com
