CVE-2024-43399: Critical Zip Slip Vulnerability Discovered in Mobile Security Framework (MobSF)
A serious security flaw has been uncovered in Mobile Security Framework (MobSF), a widely-used open-source tool for mobile app security analysis. The vulnerability, identified as CVE-2024-43399 (CVSS 9.8), could allow malicious actors to execute code remotely on servers running MobSF, potentially compromising the security of organizations that rely on this tool for app vetting.
MobSF is a powerful tool that provides both static and dynamic analysis capabilities for mobile applications across Android, iOS, and Windows Mobile platforms. It is highly valued in the cybersecurity community for tasks such as penetration testing, malware analysis, and privacy audits. However, a recent review of MobSF’s source code by security researcher Bulutenes has exposed a critical flaw in the Static Analyzer’s handling of .a extension files.
The issue lies in the extraction process of .a files within the Static Libraries analysis section. Specifically, the mitigation technique designed to prevent Zip Slip attacks—where files are extracted to unintended locations—is improperly implemented. The flawed code is located in the mobsf/StaticAnalyzer/views/common/shared_func.py file, where the replace operation intended to neutralize dangerous file paths can be bypassed using specially crafted sequences like ....//....//....//.. This bypass allows an attacker to escalate the file path to higher directory levels, leading to potential overwrites of critical system files.
To demonstrate the severity of this vulnerability, the researcher developed a proof of concept (PoC) using a malicious .a archive file. When this file is scanned by MobSF, it overwrites the MobSF database located at /home/mobsf/.MobSF/db.sqlite3, rendering the platform unusable. The PoC effectively deletes the database, but more malicious actions are possible, including achieving Remote Code Execution (RCE) by overwriting essential binaries or the /etc/passwd file.
The impact of CVE-2024-43399 is considerable. By exploiting this vulnerability, an attacker could extract files to any desired location on the server running MobSF, potentially leading to total system compromise. The ability to overwrite critical files or achieve RCE could have devastating effects, particularly for organizations that rely on MobSF for continuous security assessments in their DevSecOps or CI/CD pipelines.
All MobSF versions up to and including 4.0.6 are affected. The developers have addressed the vulnerability in version 4.0.7. Users are strongly urged to update to the latest version immediately.
