Mobile Security Framework MobSF ZIP of Death Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Mobile Security Framework (MobSF) versions through 4.3.2. The issue arises from the lack of a check on the total uncompressed size of uploaded ZIP files for static analysis. This oversight allows attackers to exploit the feature by uploading ZIP files that are small when compressed but expand to a massive size upon extraction. As a result, the server's disk space can be quickly exhausted, leading to a complete denial-of-service not only for MobSF but also for other applications and websites hosted on the same server. This vulnerability can cause significant disruption, especially for organizations that have customized cloud-based mobile security tools using the MobSF core.

Impact

Exploitation of this vulnerability can cause complete server disruption, affecting all internal portals and tools hosted on the same server. Additionally, it can crash servers running customized cloud-based mobile security tools that use the MobSF core.

Reproduction

To reproduce this vulnerability, upload a crafted ZIP file that is small in size but expands significantly when unzipped. The file should be designed to exceed the server's available disk space, causing the server to run out of storage and disrupt normal operations. This can be done by creating a text file filled with zeros to increase its size, compressing it with other files into a ZIP archive, and then uploading the ZIP file through the MobSF web interface or API.

Remediation

Users are advised to update to MobSF version 4.3.3 or later, where this vulnerability has been patched. For additional safety, implement a check on the total uncompressed size of uploaded ZIP files before extraction, rejecting files that exceed a safe threshold, such as 100 MB.