The widely used Mobile Security Framework (MobSF), renowned for its pen-testing, malware analysis, and security assessment capabilities, has been discovered to harbour a critical input validation flaw potentially leading to server-side request forgery (SSRF) attacks.
Tracked as CVE-2024-29190, the vulnerability affects MobSF versions up to and including 3.9.5 Beta.
The Trendyol Application Security team, while probing the "App Link assetlinks.json file could not be found" vulnerability, unearthed that MobSF initiates a GET request to the "/.well-known/assetlinks.json" endpoint for all hosts delineated with "android: host" in the AndroidManifest.xml file. However, the absence of adequate input validation during hostname extraction from the android: host attribute renders MobSF susceptible to inadvertently directing requests to local hostnames, potentially paving the way for SSRF exploitation.
GitHub recently shed light on a Server-Side Request Forgery (SSRF) vulnerability impacting the assetlinks_check functionality.
The Trendyol Application Security team has released a proof of concept video elucidating the SSRF vulnerability.
The SSRF vulnerability poses a grave risk by enabling attackers to prompt the server into initiating unauthorized connections to internal-only services housed within an organization's infrastructure, potentially exposing sensitive internal systems and data.
A hotfix addressing this issue has been rolled out in committing 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
MobSF users are strongly advised to promptly update to the latest version to mitigate the risks associated with CVE-2024-29190.
The discovery of CVE-2024-29190 underscores the critical necessity of rigorous input validation in software development, particularly within security-sensitive applications like MobSF.
Organizations leveraging MobSF for their security assessments should swiftly implement the hotfix to safeguard their infrastructure against potential SSRF attacks.
