Pierluigi Paganini January 19, 2019

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

• List all the files in the sdcard in the victim device
• List all the pictures in the victim device
• List all the videos in the victim device
• List all the audio files in the victim device
• List all the apps installed in the victim device
• List all the system apps installed in the victim device
• List all the phone apps installed in the victim device
• List all the apk files stored in the sdcard of the victim device
• List all the apps installed in the victim device
• Get device info of the victim device
• Pull a file from the victim device
• Launch an app of your choice
• Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to 4.1.9.7.4 are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

[adrotate banner=”5″] [adrotate banner=”13″]