Input Validation Flaw in MobSF Pen-Testing Tool Leads to SSRF Vulnerability


The widely used Mobile Security Framework (MobSF), renowned for its pen-testing, malware analysis, and security assessment capabilities, has been discovered to harbour a critical input validation flaw potentially leading to server-side request forgery (SSRF) attacks.

Tracked as CVE-2024-29190, the vulnerability affects MobSF versions up to and including 3.9.5 Beta.


Understanding the Vulnerability: CVE-2024-29190

The Trendyol Application Security team, while probing the "App Link assetlinks.json file could not be found" vulnerability, unearthed that MobSF initiates a GET request to the "/.well-known/assetlinks.json" endpoint for all hosts delineated with "android: host" in the AndroidManifest.xml file. However, the absence of adequate input validation during hostname extraction from the android: host attribute renders MobSF susceptible to inadvertently directing requests to local hostnames, potentially paving the way for SSRF exploitation.

GitHub recently shed light on a Server-Side Request Forgery (SSRF) vulnerability impacting the assetlinks_check functionality.


Proof of Concept (PoC)

The Trendyol Application Security team has released a proof of concept video elucidating the SSRF vulnerability.

The SSRF vulnerability poses a grave risk by enabling attackers to prompt the server into initiating unauthorized connections to internal-only services housed within an organization's infrastructure, potentially exposing sensitive internal systems and data.


Mitigation and Hotfix

A hotfix addressing this issue has been rolled out in committing 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.

MobSF users are strongly advised to promptly update to the latest version to mitigate the risks associated with CVE-2024-29190.

The discovery of CVE-2024-29190 underscores the critical necessity of rigorous input validation in software development, particularly within security-sensitive applications like MobSF.

Organizations leveraging MobSF for their security assessments should swiftly implement the hotfix to safeguard their infrastructure against potential SSRF attacks.