Vulnerability in ES File Explorer could allow attackers to access users’ mobile device data

• A vulnerability in ES File Explorer could allow attackers to download files from victims’ mobile devices and SD cards, launch apps, and view device information.
• Another vulnerability in ES File Explorer could allow attackers to intercept ES File Explorer’s HTTP network traffic and switch it with their own.

ES File Explorer is a file manager application for Android mobile devices available for download in Google Play Store. This file manager application has been installed over 100,000,000 times and has over 500 million users worldwide.

A security researcher Robert Baptiste recently discovered that a hidden web server was found always running in the background of ES File Explorer application. This vulnerability in ES File Explorer could allow attackers to download files from victims’ Android mobile devices.

Robert Baptiste also known as Elliot Alderson and @fs0c131y on Twitter posted, “With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager. The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.”

CVE-2019-6447 open port vulnerability

Baptiste explained how the vulnerability (CVE-2019-6447) could allow attackers to get files from users’ mobile devices

• Once the file manager app is installed and launched, it will start a local HTTP server on port 59777 which will stay open until all the background services of ES File Explorer are killed.
• The attacker connected on the same local network can exploit the vulnerability and can remotely download a file from the victim's mobile device and remotely launch an app on the device.
• This does not require users to grant the application any permission. Thus, the attacker connected to the same Wi-Fi network could successfully download files from the victim's device and SD card, launch apps, and view device information.

Man-in-the-Middle flaw

Soon after Baptiste’s disclosure of CVE-2019-6447 vulnerability, another researcher named Lukas Stefanko spotted another local vulnerability in ES File Explorer application.

“Thanks to @fs0c131y research, I found another local vulnerability in ES File Explorer app: Man-in-the-middle attack. #MITM,” Stefanko tweeted.

Stefanko explained that this vulnerability in ES File Explorer could allow attackers to intercept ES File Explorer’s HTTP network traffic and switch it with their own. Attackers connected on the same local network can exploit this Man-In-The-Middle (MitM) security flaw which would allow them to intercept the app's HTTP network traffic and exchange it with their own.

Stefanko disclosed that all ES File Explorer versions up to 4.1.9.7.4 are affected by this Man-In-The-Middle (MitM) vulnerability.

Few more security issues

Robert Baptiste further stated that he found few more security flaws which he will disclose later. However, ES File Explorer's developers stated that fix for the HTTP vulnerability issue is already waiting for approval from Google's review team with an estimated release time of approximately two days.