CVE-2019–11380 | How I was able to access complete storage of ES-FileExplorer End user

Bhavesh Thakur
Sep 5 · 2 min read

ES-file explorer was a very popular file manager having more than 30 lac downloads on play store. I found a critical vulnerability Authentication bypass via insecure FTP Activity execution by which an attacker could access complete filesystem of victim’s mobile. ES-FileExplorer was removed from playStore after one month of this finding along with the allegation of click fraud.

ES File Explorer provides various features to its end user like exploring stored files, system files etc. One of its feature was to provide access of filesystem over the network using FTP service.

It also provides a feature by which enduser can set a master password on this application so that other users of mobile or other application can’t use its features. I found that activity .ftp.ESFtpShortcut was responsible to start FTP server over the phone. Even after setting the master password if this activity is invoked using adb activity manager, FTP can be started and complete file system can bee accessed over the network. In the attack scenario any malicious application can perform this activity for attacker. From that FTP url attacker can access all files of local storage from a remote location.

Steps to reproduce:

Set password to the application.

start activity .ftp.ESFtpShortcut with the help of activity manager Command: am start -n
Starting: Intent { }
shell@j7elte:/ $

On mobile notification panel FTP URL is displayed.

Attacker can simply load that URL to any browser and can access all content of local storage including images, camera, downloads etc.

I reported this vulnerability to the application development team and the problem was fixed in v4.

Thanks for reading, Happy Hunting!

Bhavesh Thakur

Written by

Cyber Security Consultant

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade