Researcher publishes a vulnerability on ES File Explorer app, let’s attacker read Android device data

Security researchers, Robert have published a vulnerability in the ES File Explorer app that allows an attacker to gather many Android device data. Robert said app versions 4.1.9.5.2 and below is vulnerable.

ES File Explorer (File Manager) is a full-featured file (Images, Music, Movies, Documents, app) manager for both local and networked use! With over 500 million users worldwide, ES File Explorer (File Manager) helps manage your android phone and files efficiently and effectively and share files without data cost.

The security researcher explained that,

“everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777:

angler:/ # netstat -ap | grep com.estrongs
tcp6 0 0 :::59777 :::* LISTEN 5696/com.estrongs.android.pop

ES File Explorer Open Port Vulnerability

So, the attacker can send a payload to the victim devices and “obtain a lot of juicy information (device info, app installed, …) about the victim’s phone.”

Robert wrote a POC to demonstrated how he could gather pictures, videos, and app names, even grab a file from the memory card from another device on the same network.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

If you are using ES File Explorer app, please make sure you are on the latest version (4.1.9.7.4).