A zero-day vulnerability has been discovered in the Mobile Security Framework (MobSF), an automated platform for mobile application penetration testing, malware analysis, and security assessments.
The flaw, identified as a Partial Denial of Service (DoS) vulnerability, affects the Scans Results and iOS Dynamic Analyzer functionalities.
This vulnerability has been classified under CWE-1287, Improper Validation of Specified Type of Input. It has a CVSS v4.0 score of 6.9 (Medium severity), indicating significant potential for disruption.
This issue has been addressed in MobSF version 4.3.1, and users are strongly advised to upgrade to this version to mitigate risks.
MobSF Framework Zero-day Vulnerability
The vulnerability stems from improper validation of input in MobSF’s urls.py file, specifically related to the parsing of iOS application bundle identifiers.
According to Apple’s documentation, bundle IDs must adhere to strict rules, allowing only alphanumeric characters (A–Z, a–z, 0–9), hyphens (-), and periods (.).
However, attackers can bypass this restriction by modifying the
When such a maliciously crafted application is uploaded to MobSF for analysis, the framework fails to handle the invalid characters correctly.
This results in a 500 Internal Server Error, rendering the Scans Results and iOS Dynamic Analyzer pages inaccessible. The only resolution is to manually remove the malicious application from the system. This vulnerability was discovered by Oleg Surnin from Positive Technologies.
To reproduce the Partial Denial of Service (DoS) vulnerability in MobSF, first, obtain the IPA file of any iOS application. Unzip this file using the command: unzip test.ipa Next, locate the Info.plist file within the unzipped contents.
Modify the
After creating the malicious IPA file, upload it to MobSF’s Static Analysis feature. Following this, attempt to access the affected pages, such as http://mobsf/recent_scans/ or http://mobsf/ios/dynamic_analysis/.
If successful, you will encounter a 500 Internal Server Error due to MobSF’s inability to parse the malformed bundle ID. This error renders these pages inaccessible until the malicious application is manually removed from the system.
The vulnerability has been patched in MobSF version 4.3.1 by implementing stricter validation for bundle IDs using regex checks in urls.py.
Hence, organizations relying on MobSF for mobile application analysis should prioritize upgrading to version 4.3.1 to safeguard their systems against potential exploitation.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar