Elliot Alderson @fs0c131y French security researcher. Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, BJP IT Cell and others. Not completely schizophrenic. Not related to USANetwork. Jan. 16, 2019 1 min read

With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone  https://www.youtube.com/watch?v=z6hfgnPNBRE 

Technically, everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target

You can find the proof of concept on this Github repo  https://github.com/fs0c131y/ESFileExplorerOpenPortVuln 

To sum up, an attacker connected on the same local network can remotely:
- get a file from your phone
- list all the apps installed on your phone
- list all your videos, images, audio files

Worth to say, I'm convinced this "feature" has been implemented by design. Imagine a scenario: I'm Chinese, I have ES File Explorer installed on my phone. I'm on the subway and I used to connect to the public wifi. "The authorities" can use this "feature" against me.

As always, excellent article by @zackwhittaker  https://techcrunch.com/2019/01/16/android-app-es-file-explorer-expose-data/ 

I did a commit to fix a small issue on my script. If you have a problem with the script or have some improvements don't hesitate to contact me or to send a pull request!  https://github.com/fs0c131y/ESFileExplorerOpenPortVuln 

I love the #infosec community! The awesome @LukasStefanko found that ES File Explorer is vulnerable to a MITM attack 😅

Did I tell you that I found 2 others vulnerabilities in ES File Explorer? But I will keep them for another day

I'm a mysterious security researcher 😂


You can follow @fs0c131y.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.