Listen to this Post
The CVE-2024-XXXX vulnerability in MobSF arises due to improper handling of HTTP redirects in the `_check_url` method. The function uses `requests.get()` with allow_redirects=True, enabling automatic follow-through on HTTP 3XX redirects. If a malicious `.well-known/assetlinks.json` endpoint responds with a redirect (e.g., 302) pointing to an internal service (e.g., http://192.168.1.102/user/delete/1`), MobSF blindly follows it, leading to SSRF. This allows attackers to probe internal networks or interact with restricted services. The fix involves setting `allow_redirects=False` to prevent unintended request chains.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: MobSF
Version: <affected_versions>
Vulnerability: SSRF via redirects
Severity: High
Date: Mar 22, 2024
<h2 style="color: blue;">Prediction: Patch expected by Jul 2024</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check redirect behavior curl -v http://target/.well-known/assetlinks.json -L Exploit PoC: Host malicious 302 redirect to internal IP
<h2 style="color: blue;">How Exploit:</h2>
1. Host a malicious JSON endpoint returning 302 tohttp://internal-ip/sensitive-path`.
2. Trigger MobSF’s `assetlinks_check` with the rogue URL.
Protection from this CVE:
- Update MobSF to patched version.
- Manually set `allow_redirects=False` in
_check_url.
Impact:
- Unauthorized internal network access.
- Potential data deletion/modification via internal APIs.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
