Security expert Robert Baptiste ( aka Elliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.

The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN — Elliot Alderson (@fs0c131y) January 16, 2019

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

Is the HTTP server killed off once the app is closed, or does it remain running even when the app is closed? — Eivind HM. (@eivind1984) January 16, 2019

If you close the app, the server is still running. You need to kill all the background services of ES File Explorer — Elliot Alderson (@fs0c131y) January 16, 2019

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/ json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

List all the files in the sdcard in the victim device

List all the pictures in the victim device

List all the videos in the victim device

List all the audio files in the victim device

List all the apps installed in the victim device

List all the system apps installed in the victim device

List all the phone apps installed in the victim device

List all the apk files stored in the sdcard of the victim device

List all the apps installed in the victim device

Get device info of the victim device

Pull a file from the victim device

Launch an app of your choice

Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

Thanks to @fs0c131y research, I found another local vulnerability in ES File Explorer app: Man-in-the-middle attack. #MITM



Attacker connected to the same local network can intercept HTTP traffic and exchange it for his own.https://t.co/5NCHTsyCsk — Lukas Stefanko (@LukasStefanko) January 16, 2019

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to 4.1.9.7.4 are affected by this MitM flaw.



At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

Share this...

Linkedin Reddit Pinterest

Share On