{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33545", "tracking": { "current_release_date": "2026-04-01T07:35:20.671843Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33545", "initial_release_date": "2026-03-25T01:00:00.832282Z", "revision_history": [ { "date": "2026-03-25T01:00:00.832282Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-25T01:00:03.746948Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-25T18:36:41.689479Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (19).| Product Identifiers created (20).| Products created (2).| References created (3).| CWES updated (1)." }, { "date": "2026-03-25T18:36:44.851939Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:27:15.580240Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T21:27:21.698275Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:39:01.678199Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T21:39:05.838705Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-27T20:56:43.102061Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T20:56:45.653613Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-27T21:26:01.552221Z", "number": "11", "summary": "Unknown change." }, { "date": "2026-03-28T07:57:45.021935Z", "number": "12", "summary": "References created (1)." }, { "date": "2026-04-01T07:35:15.162226Z", "number": "13", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products created (1)." }, { "date": "2026-04-01T07:35:18.450368Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.4.6", "product": { "name": "vers:unknown/<4.4.6", "product_id": "CSAFPID-5919301" } } ], "category": "product_name", "name": "Mobile-Security-Framework-MobSF" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/3.2.6", "product": { "name": "vers:unknown/3.2.6", "product_id": "CSAFPID-5466651", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.2.6" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.7", "product": { "name": "vers:unknown/3.2.7", "product_id": "CSAFPID-5466652", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.2.7" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.8", "product": { "name": "vers:unknown/3.2.8", "product_id": "CSAFPID-5466653", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.2.8" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.9", "product": { "name": "vers:unknown/3.2.9", "product_id": "CSAFPID-5466654", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.2.9" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.3", "product": { "name": "vers:unknown/3.3.3", "product_id": "CSAFPID-5466655", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.3.3" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.5", "product": { "name": "vers:unknown/3.3.5", "product_id": "CSAFPID-5466656", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.3.5" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.0", "product": { "name": "vers:unknown/3.4.0", "product_id": "CSAFPID-5466657", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.4.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.3", "product": { "name": "vers:unknown/3.4.3", "product_id": "CSAFPID-5466658", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.4.3" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.6", "product": { "name": "vers:unknown/3.4.6", "product_id": "CSAFPID-5466659", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.4.6" } } }, { "category": "product_version_range", "name": "vers:unknown/3.5.0", "product": { "name": "vers:unknown/3.5.0", "product_id": "CSAFPID-5466660", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.5.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.6.0", "product": { "name": "vers:unknown/3.6.0", "product_id": "CSAFPID-5466661", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.6.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.6.9", "product": { "name": "vers:unknown/3.6.9", "product_id": "CSAFPID-5466662", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.6.9" } } }, { "category": "product_version_range", "name": "vers:unknown/3.7.6", "product": { "name": "vers:unknown/3.7.6", "product_id": "CSAFPID-5466663", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.7.6" } } }, { "category": "product_version_range", "name": "vers:unknown/3.9.7", "product": { "name": "vers:unknown/3.9.7", "product_id": "CSAFPID-5466664", "product_identification_helper": { "purl": "pkg:pypi/mobsf@3.9.7" } } }, { "category": "product_version_range", "name": "vers:unknown/4.1.3", "product": { "name": "vers:unknown/4.1.3", "product_id": "CSAFPID-5466665", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.1.3" } } }, { "category": "product_version_range", "name": "vers:unknown/4.3.0", "product": { "name": "vers:unknown/4.3.0", "product_id": "CSAFPID-5466666", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.3.0" } } }, { "category": "product_version_range", "name": "vers:unknown/4.3.2", "product": { "name": "vers:unknown/4.3.2", "product_id": "CSAFPID-5466667", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.3.2" } } }, { "category": "product_version_range", "name": "vers:unknown/4.4.0", "product": { "name": "vers:unknown/4.4.0", "product_id": "CSAFPID-5466668", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.4.0" } } }, { "category": "product_version_range", "name": "vers:unknown/4.4.2", "product": { "name": "vers:unknown/4.4.2", "product_id": "CSAFPID-5466669", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.4.2" } } }, { "category": "product_version_range", "name": "vers:unknown/4.4.5", "product": { "name": "vers:unknown/4.4.5", "product_id": "CSAFPID-5907991", "product_identification_helper": { "purl": "pkg:pypi/mobsf@4.4.5" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<4.4.6", "product": { "name": "vers:unknown/>=0|<4.4.6", "product_id": "CSAFPID-5907992" } } ], "category": "product_name", "name": "mobsf" } ], "category": "vendor", "name": "MobSF" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.4.6", "product": { "name": "vers:unknown/<4.4.6", "product_id": "CSAFPID-5970935" } } ], "category": "product_name", "name": "mobsf" } ], "category": "vendor", "name": "unknown" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33545", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "category": "description", "text": "## Description\n\nMobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping.\n\nThis allows an attacker to:\n\n1. **Cause Denial of Service** -- A malicious table name causes the database viewer to crash, preventing the analyst from viewing ANY data in the SQLite database. A malicious app can use this to hide sensitive data (C2 server URLs, stolen credentials, API keys) from MobSF's analysis.\n\n2. **Achieve SQL Injection** -- The `SELECT * FROM` query on line 557 is provably injectable via `UNION SELECT`, allowing attacker-controlled data to be returned in query results. The current code structure (a `PRAGMA` statement that runs first on line 553) limits the full exploitation chain, but the underlying code is verifiably injectable.\n\n## Root Cause\n\nThe vulnerable code in `mobsf/MobSF/utils.py:542-566`:\n\n```python\ndef read_sqlite(sqlite_file):\n \"\"\"Sqlite Dump - Readable Text.\"\"\"\n table_dict = {}\n try:\n con = sqlite3.connect(sqlite_file)\n cur = con.cursor()\n cur.execute('SELECT name FROM sqlite_master WHERE type=\\'table\\';')\n tables = cur.fetchall()\n for table in tables:\n table_dict[table[0]] = {'head': [], 'data': []}\n cur.execute('PRAGMA table_info(\\'%s\\')' % table) # <-- INJECTION POINT 1\n rows = cur.fetchall()\n for sq_row in rows:\n table_dict[table[0]]['head'].append(sq_row[1])\n cur.execute('SELECT * FROM \\'%s\\'' % table) # <-- INJECTION POINT 2\n rows = cur.fetchall()\n for sq_row in rows:\n tmp_row = []\n for each_row in sq_row:\n tmp_row.append(str(each_row))\n table_dict[table[0]]['data'].append(tmp_row)\n except Exception:\n logger.exception('Reading SQLite db')\n return table_dict\n```\n\n**Lines 553 and 557** use `%` string formatting to interpolate `table` (a tuple from `sqlite_master`) directly into SQL strings. The `table` value is attacker-controlled when the SQLite database originates from a malicious application being analyzed.\n\n## Attack Vector\n\nThe `read_sqlite()` function is called from two locations:\n\n1. **Dynamic Analysis File Viewer** (`mobsf/DynamicAnalyzer/views/common/device.py:64`):\n - Triggered when an analyst clicks to view a `.db` file in device data\n - Applies to both Android and iOS dynamic analysis\n\n2. **iOS Static Analysis File Viewer** (`mobsf/StaticAnalyzer/views/ios/views/view_source.py:123`):\n - Triggered when an analyst clicks to view a `.db` file during iOS static analysis\n\n### Attack Scenario\n\n1. Attacker creates a malicious Android APK (or iOS IPA) containing a SQLite database with a crafted table name in the `assets/` directory\n2. The SQLite database contains a table created with:\n ```sql\n CREATE TABLE \"x' UNION SELECT 'SQL_INJECTION_PROOF'--\" (id INTEGER);\n ```\n3. Security analyst uploads the application to MobSF for analysis\n4. Analyst browses the extracted files and clicks to view the SQLite database\n5. MobSF's `read_sqlite()` reads table names from `sqlite_master`, including the malicious name `x' UNION SELECT 'SQL_INJECTION_PROOF'--`\n6. The table name is interpolated into SQL queries via string formatting:\n - `PRAGMA table_info('x' UNION SELECT 'SQL_INJECTION_PROOF'--')` -- causes syntax error (DoS)\n - `SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'` -- SQL injection (UNION SELECT returns attacker data)\n\n## Impact\n\n### Denial of Service (Confirmed)\n\nWhen the malicious table name is the first table in `sqlite_master` (i.e., created first in the database), the `PRAGMA` statement on line 553 raises a `sqlite3.OperationalError`, which is caught by the outer `try/except`. This causes `read_sqlite()` to return an empty or partial result, preventing the analyst from viewing **any** database content.\n\n**Security impact:** A malicious app author can use this technique to **hide incriminating data** stored in SQLite databases from MobSF's analysis. This directly undermines MobSF's core purpose as a security analysis tool.\n\n### SQL Injection (Confirmed in Isolation)\n\nThe `SELECT * FROM` query on line 557 is demonstrably injectable. When the malicious table name `x' UNION SELECT 'SQL_INJECTION_PROOF'--` is interpolated, the resulting query:\n\n```sql\nSELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'\n```\n\nSuccessfully executes and returns attacker-controlled data via `UNION SELECT`. The `--` comments out the trailing single quote. This is verified by the PoC script.\n\n**Note:** In the current code structure, the `PRAGMA table_info()` statement on line 553 runs before the `SELECT * FROM` on line 557. The PRAGMA fails with a syntax error for injected payloads, which triggers the exception handler before the SELECT can execute. This limits the full exploitation chain. However, the code flaw is real and any future refactoring that changes the execution order or removes the PRAGMA would immediately expose the full SQL injection.\n\n## Proof of Concept\n\n### Files Provided(Gdrive)\n\n| File | Description |\n|------|-------------|\n| `poc_sqlite_injection.py` | Standalone PoC demonstrating the vulnerability |\n| `malicious.db` | Crafted SQLite database (generated by PoC) |\n| `create_malicious_apk.sh` | Script to package the malicious DB into an APK |\n| `malicious_sqli.apk` | Pre-built APK for testing against MobSF |\n\nhttps://drive.google.com/drive/folders/1mNGkFfNowkaZ5J018HFi4IQcnjKaWCym?usp=sharing\n\n\n### Running the PoC\n\n```bash\n# Run the standalone PoC (no MobSF required)\npython3 poc_sqlite_injection.py\n\n# Build the malicious APK (requires Android SDK)\n./create_malicious_apk.sh\n\n# Test against MobSF\n# 1. Start MobSF\n# 2. Upload malicious_sqli.apk\n# 3. Browse extracted files -> click app_data.db\n# 4. Observe: database viewer fails (DoS)\n```\n\n### PoC Output (Abbreviated)\n\n```\n[STEP 2] Running MobSF's read_sqlite() against malicious database...\n [!] EXCEPTION CAUGHT: OperationalError: near \"UNION\": syntax error\n [!] DoS CONFIRMED: read_sqlite() crashed\n\n[STEP 3] Demonstrating SELECT * FROM injection in isolation...\n Query: SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'\n [+] Query executed successfully!\n [+] Results: [('SQL_INJECTION_PROOF',), ('normal_data',)]\n [+] SQL INJECTION CONFIRMED\n\n[STEP 4] Complete DoS (malicious table created first):\n Tables with data: NONE\n [!] COMPLETE DoS CONFIRMED\n```\n\n## Suggested Fix\n\nReplace string formatting with properly quoted identifiers. SQLite uses double quotes for identifiers:\n\n```python\ndef read_sqlite(sqlite_file):\n \"\"\"Sqlite Dump - Readable Text.\"\"\"\n table_dict = {}\n try:\n con = sqlite3.connect(sqlite_file)\n cur = con.cursor()\n cur.execute('SELECT name FROM sqlite_master WHERE type=\\'table\\';')\n tables = cur.fetchall()\n for table in tables:\n table_name = table[0]\n # Properly escape table name as a double-quoted identifier\n safe_name = table_name.replace('\"', '\"\"')\n table_dict[table_name] = {'head': [], 'data': []}\n cur.execute(f'PRAGMA table_info(\"{safe_name}\")')\n rows = cur.fetchall()\n for sq_row in rows:\n table_dict[table_name]['head'].append(sq_row[1])\n cur.execute(f'SELECT * FROM \"{safe_name}\"')\n rows = cur.fetchall()\n for sq_row in rows:\n tmp_row = []\n for each_row in sq_row:\n tmp_row.append(str(each_row))\n table_dict[table_name]['data'].append(tmp_row)\n except Exception:\n logger.exception('Reading SQLite db')\n return table_dict\n```\n\nThis escapes any double quotes within table names by doubling them (`\"` → `\"\"`), which is the standard SQL mechanism for identifier quoting. This prevents breakout from the double-quoted identifier context.\n\n## Resources\n\n- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n- **OWASP SQL Injection**: https://owasp.org/www-community/attacks/SQL_Injection\n- **Affected File**: `mobsf/MobSF/utils.py`, lines 542-566", "title": "github - https://api.github.com/advisories/GHSA-hqjr-43r5-9q58" }, { "category": "description", "text": "## Description\n\nMobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping.\n\nThis allows an attacker to:\n\n1. **Cause Denial of Service** -- A malicious table name causes the database viewer to crash, preventing the analyst from viewing ANY data in the SQLite database. A malicious app can use this to hide sensitive data (C2 server URLs, stolen credentials, API keys) from MobSF's analysis.\n\n2. **Achieve SQL Injection** -- The `SELECT * FROM` query on line 557 is provably injectable via `UNION SELECT`, allowing attacker-controlled data to be returned in query results. The current code structure (a `PRAGMA` statement that runs first on line 553) limits the full exploitation chain, but the underlying code is verifiably injectable.\n\n## Root Cause\n\nThe vulnerable code in `mobsf/MobSF/utils.py:542-566`:\n\n```python\ndef read_sqlite(sqlite_file):\n \"\"\"Sqlite Dump - Readable Text.\"\"\"\n table_dict = {}\n try:\n con = sqlite3.connect(sqlite_file)\n cur = con.cursor()\n cur.execute('SELECT name FROM sqlite_master WHERE type=\\'table\\';')\n tables = cur.fetchall()\n for table in tables:\n table_dict[table[0]] = {'head': [], 'data': []}\n cur.execute('PRAGMA table_info(\\'%s\\')' % table) # <-- INJECTION POINT 1\n rows = cur.fetchall()\n for sq_row in rows:\n table_dict[table[0]]['head'].append(sq_row[1])\n cur.execute('SELECT * FROM \\'%s\\'' % table) # <-- INJECTION POINT 2\n rows = cur.fetchall()\n for sq_row in rows:\n tmp_row = []\n for each_row in sq_row:\n tmp_row.append(str(each_row))\n table_dict[table[0]]['data'].append(tmp_row)\n except Exception:\n logger.exception('Reading SQLite db')\n return table_dict\n```\n\n**Lines 553 and 557** use `%` string formatting to interpolate `table` (a tuple from `sqlite_master`) directly into SQL strings. The `table` value is attacker-controlled when the SQLite database originates from a malicious application being analyzed.\n\n## Attack Vector\n\nThe `read_sqlite()` function is called from two locations:\n\n1. **Dynamic Analysis File Viewer** (`mobsf/DynamicAnalyzer/views/common/device.py:64`):\n - Triggered when an analyst clicks to view a `.db` file in device data\n - Applies to both Android and iOS dynamic analysis\n\n2. **iOS Static Analysis File Viewer** (`mobsf/StaticAnalyzer/views/ios/views/view_source.py:123`):\n - Triggered when an analyst clicks to view a `.db` file during iOS static analysis\n\n### Attack Scenario\n\n1. Attacker creates a malicious Android APK (or iOS IPA) containing a SQLite database with a crafted table name in the `assets/` directory\n2. The SQLite database contains a table created with:\n ```sql\n CREATE TABLE \"x' UNION SELECT 'SQL_INJECTION_PROOF'--\" (id INTEGER);\n ```\n3. Security analyst uploads the application to MobSF for analysis\n4. Analyst browses the extracted files and clicks to view the SQLite database\n5. MobSF's `read_sqlite()` reads table names from `sqlite_master`, including the malicious name `x' UNION SELECT 'SQL_INJECTION_PROOF'--`\n6. The table name is interpolated into SQL queries via string formatting:\n - `PRAGMA table_info('x' UNION SELECT 'SQL_INJECTION_PROOF'--')` -- causes syntax error (DoS)\n - `SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'` -- SQL injection (UNION SELECT returns attacker data)\n\n## Impact\n\n### Denial of Service (Confirmed)\n\nWhen the malicious table name is the first table in `sqlite_master` (i.e., created first in the database), the `PRAGMA` statement on line 553 raises a `sqlite3.OperationalError`, which is caught by the outer `try/except`. This causes `read_sqlite()` to return an empty or partial result, preventing the analyst from viewing **any** database content.\n\n**Security impact:** A malicious app author can use this technique to **hide incriminating data** stored in SQLite databases from MobSF's analysis. This directly undermines MobSF's core purpose as a security analysis tool.\n\n### SQL Injection (Confirmed in Isolation)\n\nThe `SELECT * FROM` query on line 557 is demonstrably injectable. When the malicious table name `x' UNION SELECT 'SQL_INJECTION_PROOF'--` is interpolated, the resulting query:\n\n```sql\nSELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'\n```\n\nSuccessfully executes and returns attacker-controlled data via `UNION SELECT`. The `--` comments out the trailing single quote. This is verified by the PoC script.\n\n**Note:** In the current code structure, the `PRAGMA table_info()` statement on line 553 runs before the `SELECT * FROM` on line 557. The PRAGMA fails with a syntax error for injected payloads, which triggers the exception handler before the SELECT can execute. This limits the full exploitation chain. However, the code flaw is real and any future refactoring that changes the execution order or removes the PRAGMA would immediately expose the full SQL injection.\n\n## Proof of Concept\n\n### Files Provided(Gdrive)\n\n| File | Description |\n|------|-------------|\n| `poc_sqlite_injection.py` | Standalone PoC demonstrating the vulnerability |\n| `malicious.db` | Crafted SQLite database (generated by PoC) |\n| `create_malicious_apk.sh` | Script to package the malicious DB into an APK |\n| `malicious_sqli.apk` | Pre-built APK for testing against MobSF |\n\nhttps://drive.google.com/drive/folders/1mNGkFfNowkaZ5J018HFi4IQcnjKaWCym?usp=sharing\n\n\n### Running the PoC\n\n```bash\n# Run the standalone PoC (no MobSF required)\npython3 poc_sqlite_injection.py\n\n# Build the malicious APK (requires Android SDK)\n./create_malicious_apk.sh\n\n# Test against MobSF\n# 1. Start MobSF\n# 2. Upload malicious_sqli.apk\n# 3. Browse extracted files -> click app_data.db\n# 4. Observe: database viewer fails (DoS)\n```\n\n### PoC Output (Abbreviated)\n\n```\n[STEP 2] Running MobSF's read_sqlite() against malicious database...\n [!] EXCEPTION CAUGHT: OperationalError: near \"UNION\": syntax error\n [!] DoS CONFIRMED: read_sqlite() crashed\n\n[STEP 3] Demonstrating SELECT * FROM injection in isolation...\n Query: SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'\n [+] Query executed successfully!\n [+] Results: [('SQL_INJECTION_PROOF',), ('normal_data',)]\n [+] SQL INJECTION CONFIRMED\n\n[STEP 4] Complete DoS (malicious table created first):\n Tables with data: NONE\n [!] COMPLETE DoS CONFIRMED\n```\n\n## Suggested Fix\n\nReplace string formatting with properly quoted identifiers. SQLite uses double quotes for identifiers:\n\n```python\ndef read_sqlite(sqlite_file):\n \"\"\"Sqlite Dump - Readable Text.\"\"\"\n table_dict = {}\n try:\n con = sqlite3.connect(sqlite_file)\n cur = con.cursor()\n cur.execute('SELECT name FROM sqlite_master WHERE type=\\'table\\';')\n tables = cur.fetchall()\n for table in tables:\n table_name = table[0]\n # Properly escape table name as a double-quoted identifier\n safe_name = table_name.replace('\"', '\"\"')\n table_dict[table_name] = {'head': [], 'data': []}\n cur.execute(f'PRAGMA table_info(\"{safe_name}\")')\n rows = cur.fetchall()\n for sq_row in rows:\n table_dict[table_name]['head'].append(sq_row[1])\n cur.execute(f'SELECT * FROM \"{safe_name}\"')\n rows = cur.fetchall()\n for sq_row in rows:\n tmp_row = []\n for each_row in sq_row:\n tmp_row.append(str(each_row))\n table_dict[table_name]['data'].append(tmp_row)\n except Exception:\n logger.exception('Reading SQLite db')\n return table_dict\n```\n\nThis escapes any double quotes within table names by doubling them (`\"` → `\"\"`), which is the standard SQL mechanism for identifier quoting. This prevents breakout from the double-quoted identifier context.\n\n## Resources\n\n- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n- **OWASP SQL Injection**: https://owasp.org/www-community/attacks/SQL_Injection\n- **Affected File**: `mobsf/MobSF/utils.py`, lines 542-566", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-hqjr-43r5-9q58.json?alt=media" }, { "category": "description", "text": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33545" }, { "category": "description", "text": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33545.json" }, { "category": "description", "text": "Affected versions of the mobsf package are vulnerable to SQL Injection due to unsafe string formatting of SQL queries with attacker-controlled SQLite table names. The read_sqlite() function in mobsf/MobSF/utils.py builds the PRAGMA table_info('%s') and SELECT * FROM '%s' statements using values read from sqlite_master, so crafted table names from a malicious SQLite database are inserted into SQL without proper neutralization or escaping.", "title": "pyupio - https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "other", "text": "0.00025", "title": "EPSS" }, { "category": "other", "text": "4.2", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to a product by vendor Unknown, Is related to (a version of) an uncommon product, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5466651", "CSAFPID-5466652", "CSAFPID-5466653", "CSAFPID-5466654", "CSAFPID-5466655", "CSAFPID-5466656", "CSAFPID-5466657", "CSAFPID-5466658", "CSAFPID-5466659", "CSAFPID-5466660", "CSAFPID-5466661", "CSAFPID-5466662", "CSAFPID-5466663", "CSAFPID-5466664", "CSAFPID-5466665", "CSAFPID-5466666", "CSAFPID-5466667", "CSAFPID-5466668", "CSAFPID-5466669", "CSAFPID-5907991", "CSAFPID-5907992", "CSAFPID-5919301", "CSAFPID-5970935" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-hqjr-43r5-9q58" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-hqjr-43r5-9q58.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33545" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33545.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - pyupio", "url": "https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-hqjr-43r5-9q58" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33545" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5466651", "CSAFPID-5466652", "CSAFPID-5466653", "CSAFPID-5466654", "CSAFPID-5466655", "CSAFPID-5466656", "CSAFPID-5466657", "CSAFPID-5466658", "CSAFPID-5466659", "CSAFPID-5466660", "CSAFPID-5466661", "CSAFPID-5466662", "CSAFPID-5466663", "CSAFPID-5466664", "CSAFPID-5466665", "CSAFPID-5466666", "CSAFPID-5466667", "CSAFPID-5466668", "CSAFPID-5466669", "CSAFPID-5907991", "CSAFPID-5907992", "CSAFPID-5919301", "CSAFPID-5970935" ] } ], "title": "CVE-2026-33545" } ] }