Описание
SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
Summary
While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.
Details
Example <intent-filter structure in AndroidManifest.xml:
We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the host prevents requests from being sent to the "/.well-known/assetlinks.json" endpoint and ensures that requests are sent to the endpoint before it.
PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.
Ссылки
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3
- https://nvd.nist.gov/vuln/detail/CVE-2024-29190
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77
- https://github.com/MobSF/mobsfscan/commit/61fd40b477bbf9d204eb8c5a83a86c396d839798
- https://github.com/MobSF/mobsfscan/commit/cd01b71770a6e56c1c71b0e5f454e7b6c9c64ef4
- https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
- https://github.com/pypa/advisory-database/tree/main/vulns/mobsf/PYSEC-2024-257.yaml
Пакеты
mobsfscan
< 0.3.8
0.3.8
Связанные уязвимости
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue.