CVE-2022-41547

Vulnerability

Analysis

Mobile Security Framework (MobSF) versions up to and including v0.9.2 contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. The flaw resides in the ViewSource function, where the md5 parameter is insufficiently sanitized. An attacker can inject path traversal sequences, such as ../, combined with a null byte termination to bypass the intended file access restrictions [1][4].

Exploitation

The vulnerability can be exploited remotely without authentication. A crafted HTTP GET request to the /ViewSource/ endpoint with a malicious file and md5 parameter allows an attacker to read arbitrary files on the server filesystem. The PoC demonstrates reading /private/etc/passwd on macOS by using an actual MD5 hash at the head of the md5 value, followed by path traversal and a null byte (%00) to terminate the string [1][4].

Impact

Successful exploitation enables an attacker to read sensitive files from the MobSF server, including configuration files, application source code, or system files like /etc/passwd. This could lead to further compromise of the server or leaked credentials. The vulnerability does not require elevated privileges, making it a high-severity issue for any MobSF instance exposed to untrusted networks [2].

Mitigation

The vulnerability was fixed in commit b9cdd1f, which properly validates the md5 parameter and prevents directory traversal [1]. Users are strongly advised to upgrade to MobSF v0.9.3 or later. No official workaround is available for v0.9.2 or earlier versions [3].