The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.
Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.
The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer
An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.
“The ES File Explorer File Manager application through 220.127.116.11.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.
“This TCP port remains open after the ES application has been launched once, and responds to
The attack works even if the victim will not actually grant the app any permissions on the Android device.
Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.
With the following Proof Of Concept (POC), you can:
As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.
A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.
ES File Explorer versions up to 18.104.22.168.4 are affected by this MitM flaw.
At the time the ES File Explorer’s development team announced the fix for “the
(SecurityAffairs – Liberia, DDoS)