Headline
GHSA-wfgj-wrgh-h3r3: SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
Summary
While examining the “App Link assetlinks.json file could not be found” vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the “/.well-known/assetlinks.json” endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.
Details
Example <intent-filter structure in AndroidManifest.xml:
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>
We defined it as android:host="192.168.1.102/user/delete/1#". Here, the “#” character at the end of the host prevents requests from being sent to the “/.well-known/assetlinks.json” endpoint and ensures that requests are sent to the endpoint before it.
<img width="617" alt="image" src="https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/150332295/c570cb00-e947-4ad7-af80-26d46c0ad3f7">
PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
Impact
The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure.
Summary
While examining the “App Link assetlinks.json file could not be found” vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the “/.well-known/assetlinks.json” endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.
Details
Example <intent-filter structure in AndroidManifest.xml:
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>
We defined it as android:host="192.168.1.102/user/delete/1#". Here, the “#” character at the end of the host prevents requests from being sent to the “/.well-known/assetlinks.json” endpoint and ensures that requests are sent to the endpoint before it.
PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
Impact
The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure.
References
- GHSA-wfgj-wrgh-h3r3
- MobSF/mobsfscan@61fd40b
- MobSF/mobsfscan@cd01b71