ghsa-cxqq-w3x5-7ph3
Vulnerability from github
Published
2025-02-05 20:56
Modified
2025-02-05 21:45
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
MobSF Stored Cross-Site Scripting (XSS)
Details

Product: MobSF Version: < 4.3.1 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Description: Stored XSS in the iOS Dynamic Analyzer functionality. Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users. Vulnerable component: dynamic_analysis.html https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 Exploitation conditions: A malicious application was uploaded to the Correlium. Mitigation: Use escapeHtml() function on the bundle variable. Researcher: Oleg Surnin (Positive Technologies)

Research

Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). (https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier) However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. In the dynamic_analysis.html file you do not sanitize received bundle value from Corellium https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406

Figure 1. Unsanitized bundle

As a result, it is possible to break the HTML context and achieve Stored XSS.

Vulnerability reproduction

To reproduce the vulnerability, follow the steps described below.

• Unzip the IPA file of any iOS application. Listing 1. Unzipping the file unzip test.ipa • Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.

Figure 2. Example of the modified Bundle Identifier

• Zip the modified IPA file.

Listing 2. Zipping the file zip -r xss.ipa Payload/ • Upload the modified IPA file to your virtual device using the Correlium platform.

Figure 3. Example of the uploaded malicious application

• Open the XSS functionality and hover the mouse over the Uninstall button of the malicious app.

Figure 4. Example of the 'Uninstall' button

Figure 5. Example of the XSS

Figure 6. Example of the vulnerable code

Please, assign all credits to: Oleg Surnin (Positive Technologies)

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T20:56:39Z",
    "nvd_published_at": "2025-02-05T19:15:46Z",
    "severity": "HIGH"
  },
  "details": "**Product:** MobSF\n**Version:** \u003c 4.3.1\n**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.4.0:** 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)\n**Description:** Stored XSS in the iOS Dynamic Analyzer functionality.\n**Impact:** Leveraging this vulnerability would enable performing actions as users, including administrative users.\n**Vulnerable component:** `dynamic_analysis.html` \nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406\n**Exploitation conditions:** A malicious application was uploaded to the Correlium.\n**Mitigation:** Use `escapeHtml()` function on the `bundle` variable.\n**Researcher: Oleg Surnin (Positive Technologies)**\n\n## Research\nResearcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality.\nAccording to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.).\n(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)\nHowever, an attacker can manually modify this value in `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value.\nIn the `dynamic_analysis.html` file you do not sanitize received bundle value from Corellium \nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406\n\n\u003cimg width=\"1581\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8400f872-46c0-406c-9dd6-97655e499b75\" /\u003e\n\n*Figure 1. Unsanitized bundle*\n\nAs a result, it is possible to break the HTML context and achieve Stored XSS.\n\n## Vulnerability reproduction\n\nTo reproduce the vulnerability, follow the steps described below.\n\n\u2022\tUnzip the IPA file of any iOS application.\n*Listing 1. Unzipping the file*\n```\nunzip test.ipa\n```\n\u2022\tModify the value of `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` by adding restricted characters in the `Info.plist` file.\n\n\u003cimg width=\"560\" alt=\"image-1\" src=\"https://github.com/user-attachments/assets/3eedf216-45ab-4d73-9815-6b02827d36d4\" /\u003e\n\n*Figure 2. Example of the modified Bundle Identifier*\n\n\u2022\tZip the modified IPA file.\n\n*Listing 2. Zipping the file*\n```\nzip -r xss.ipa Payload/\n```\n\u2022\tUpload the modified IPA file to your virtual device using the Correlium platform.\n \n\u003cimg width=\"762\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/7f3e8b0d-d1f9-4d86-b63b-9b3f9e8f1d0c\" /\u003e\n\n*Figure 3. Example of the uploaded malicious application*\n\n\u2022\tOpen the XSS functionality and hover the mouse over the Uninstall button of the malicious app.\n\n\u003cimg width=\"764\" alt=\"image-3\" src=\"https://github.com/user-attachments/assets/fd621574-f2c1-42be-b30a-e8e7445c6b13\" /\u003e\n\n*Figure 4. Example of the \u0027Uninstall\u0027 button*\n\n \u003cimg width=\"652\" alt=\"image-4\" src=\"https://github.com/user-attachments/assets/73526f71-6d39-4a94-98bf-8a867aa9acc7\" /\u003e\n \n*Figure 5. Example of the XSS*\n \n\u003cimg width=\"460\" alt=\"image-5\" src=\"https://github.com/user-attachments/assets/13e6a1fc-59be-492d-8e42-a5a8010fc4c3\" /\u003e\n\n*Figure 6. Example of the vulnerable code*\n\n___________________________\n\n### Please, assign all credits to: Oleg Surnin (Positive Technologies)",
  "id": "GHSA-cxqq-w3x5-7ph3",
  "modified": "2025-02-05T21:45:22Z",
  "published": "2025-02-05T20:56:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
    },
    {
      "type": "WEB",
      "url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MobSF Stored Cross-Site Scripting (XSS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.