The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.
Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
— Baptiste Robert (@fs0c131y) January 16, 2019
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer
Is the HTTP server killed off once the app is closed, or does it remain running even when the app is closed?
— Eivind HM. — eivind1984.bsky.social (@eivind1984) January 16, 2019
If you close the app, the server is still running. You need to kill all the background services of ES File Explorer
— Baptiste Robert (@fs0c131y) January 16, 2019
An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.
“The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.
“This TCP port remains open after the ES application has been launched once, and responds to
The attack works even if the victim will not actually grant the app any permissions on the Android device.
Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.
With the following Proof Of Concept (POC), you can:
As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.
Thanks to @fs0c131y research, I found another local vulnerability in ES File Explorer app: Man-in-the-middle attack. #MITM
— Lukas Stefanko (@LukasStefanko) January 16, 2019
Attacker connected to the same local network can intercept HTTP traffic and exchange it for his own.https://t.co/5NCHTsyCsk
A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.
ES File Explorer versions up to 4.1.9.7.4 are affected by this MitM flaw.
At the time the ES File Explorer’s development team announced the fix for “the
Fix is on they way! #ESFileExplorer pic.twitter.com/ceCChhSFTf
— Lukas Stefanko (@LukasStefanko) January 17, 2019
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Liberia, DDoS)
[adrotate banner=”5″] [adrotate banner=”13″]