GHSA-wfgj-wrgh-h3r3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wfgj-wrgh-h3r3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-wfgj-wrgh-h3r3/GHSA-wfgj-wrgh-h3r3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-wfgj-wrgh-h3r3
- Aliases
- Related
- Published
- 2024-03-22T23:54:53Z
- Modified
- 2024-03-23T22:45:45.862889Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
- Details
-
Summary
While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.
Details
Example <intent-filter structure in AndroidManifest.xml:
<intent-filter android:autoVerify="true"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:host="192.168.1.102/user/delete/1#" android:scheme="http" /> </intent-filter>We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the host prevents requests from being sent to the "/.well-known/assetlinks.json" endpoint and ensures that requests are sent to the endpoint before it.
<img width="617" alt="image" src="https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/150332295/c570cb00-e947-4ad7-af80-26d46c0ad3f7">
PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.
- Database specific
{ "nvd_published_at": "2024-03-22T23:15:07Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-22T23:54:53Z" }- References
-
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3
- https://nvd.nist.gov/vuln/detail/CVE-2024-29190
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77
- https://github.com/MobSF/mobsfscan/commit/61fd40b477bbf9d204eb8c5a83a86c396d839798
- https://github.com/MobSF/mobsfscan/commit/cd01b71770a6e56c1c71b0e5f454e7b6c9c64ef4
- https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
- https://github.com/MobSF/Mobile-Security-Framework-MobSF
Affected packages
PyPI / mobsfscan
Package
- Name
- mobsfscan
- View open source insights on deps.dev
- Purl
- pkg:pypi/mobsfscan