MobSF SQL Injection Vulnerability in SQLite Database Viewer

A SQL injection vulnerability has been identified in MobSF versions prior to 4.4.6. The issue arises in the 'read_sqlite()' function within 'mobsf/MobSF/utils.py', where SQL queries are constructed using Python's string formatting. This flaw allows attacker-controlled table names from a SQLite database's 'sqlite_master' table to be directly interpolated into SQL queries without proper parameterization or escaping. As a result, an attacker can manipulate the SQL queries, leading to denial of service and exploitation of SQL injection.

Impact

Exploitation of this vulnerability allows for SQL injection, where attacker-controlled data can be injected into SQL queries and executed by the database. Additionally, the vulnerability causes a denial of service by crashing the database viewer, preventing analysts from accessing any database content.

Reproduction

To reproduce this vulnerability, upload a malicious Android APK or iOS IPA containing a crafted SQLite database with an attacker-controlled table name into MobSF. During the analysis, MobSF's 'read_sqlite()' function will be invoked, leading to the SQL injection vulnerability being exploited.

Remediation

Users can update to MobSF version 4.4.6 or later, where this vulnerability has been patched.