ES-file explorer was a very popular file manager having more than 30 lac downloads on play store. I found a critical vulnerability Authentication bypass via insecure FTP Activity execution by which an attacker could access complete filesystem of victim’s mobile. ES-FileExplorer was removed from playStore after one month of this finding along with the allegation of click fraud.

ES File Explorer provides various features to its end user like exploring stored files, system files etc. One of its feature was to provide access of filesystem over the network using FTP service.

It also provides a feature by which enduser can set a master password on this application so that other users of mobile or other application can’t use its features. I found that activity .ftp.ESFtpShortcut was responsible to start FTP server over the phone. Even after setting the master password if this activity is invoked using adb activity manager, FTP can be started and complete file system can bee accessed over the network. In the attack scenario any malicious application can perform this activity for attacker. From that FTP url attacker can access all files of local storage from a remote location.

Steps to reproduce:

Set password to the application.

start activity .ftp.ESFtpShortcut with the help of activity manager Command: am start -n com.estrongs.android.pop/.ftp.ESFtpShortcut

Output:

Starting: Intent { cmp=com.estrongs.android.pop/.ftp.ESFtpShortcut }

shell@j7elte:/ $

On mobile notification panel FTP URL is displayed.

Attacker can simply load that URL to any browser and can access all content of local storage including images, camera, downloads etc.

I reported this vulnerability to the application development team and the problem was fixed in v4.2.0.1.4.

Thanks for reading, Happy Hunting!