Security researchers have discovered a critical Arbitrary File Write vulnerability (codenamed AR-Slip) in MobSF version 4.4.0 that allows authenticated users to overwrite arbitrary files on the host filesystem.
The flaw, tracked as GHSA-9gh8-9r95-3fc3 and published by Ajin Abraham on GitHub, is caused by insufficient validation of absolute file names during extraction of statically linked libraries (.a archives).
Users are urged to update to MobSF 4.4.1 immediately to mitigate potential system compromise, data corruption, and integrity attacks.
Vulnerability Overview and Technical Details
MobSF’s static analysis component for iOS loads and parses .a archives using an ar_extract function in shared_func.py.
During extraction, each archive member’s filename (filtered) is checked only for relative path traversal patterns (.., %2e%2e, %252e) but not for absolute paths.
The code constructs the output path as:
pythonout = Path(dst) / filtered
out.write_bytes(val.read())
If filtered begins with a leading slash (e.g., /tmp/pwned.txt), the Path(dst) / filtered The operation discards the intended extraction root and writes directly to the absolute location /tmp/pwned.txt.
This allows an attacker to overwrite any file writable by the MobSF process, including critical artifacts like db.sqlite3, configuration files, logs, or static templates.
The extraction is invoked via:
pythondst = Path(dst) / 'static_objects'
ar_extract(checksum, src, dst.as_posix())
Despite the assumption that all files land under the static_objects Subdirectory, the absence of a normalization step for absolute paths breaks this guarantee, resulting in an AR-Slip attack through absolute-path substitution.
Attack Scenario and Proof of Concept
An attacker crafts a malicious AR archive containing a member with a header name set to an absolute path—for example, /home/mobsf/.MobSF/db.sqlite3.
After uploading the archive through the web interface, MobSF silently extracts its contents. The malicious entry overwrites the SQLite database used by the application, causing a system malfunction or denial of service.
In one observed case, the overwritten db.sqlite3 triggered a server error in the MobSF UI logging module, demonstrating a direct impact on availability and integrity.
A provided PoC script (PoC_gen.py) automates creation of such an archive by leveraging GNU AR long filename tables, enabling security teams to verify the vulnerability in controlled environments.
The exploit workflow requires only authenticated upload privileges and no elevated system rights beyond those held by the MobSF service account.
Impact, Mitigation, and Remediation
The AR-Slip vulnerability poses severe risks:
- Arbitrary File Overwrite: Unauthorized modification of any file under the runtime account’s privileges (e.g.,
/tmp, analysis result directories, log files). - Integrity Distortion: Substitution of analysis artifacts or UI templates, potentially enabling stored XSS or tampering with security reports.
- Service Disruption: Overwriting critical files (e.g., SQLite database) can crash or freeze the MobSF application.
- Privilege Escalation Potential: In misconfigured containers or with excessive privileges, attackers may write to system directories.
To remediate, upgrade MobSF to version 4.4.1, which rejects absolute paths by normalizing each member name and ensuring the resolved extraction path remains within the designated static_objects directory.
As a best practice, all archive extraction routines should implement both path-traversal and absolute-path checks using normalized path comparisons against a root extraction directory.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, tracked as GHSA-9gh8-9r95-3fc3 and published by Ajin Abraham on GitHub, is caused by insufficient validation of absolute file names during extraction of statically linked libraries (.a archives).){kind=link}