How I was able to access complete storage of any ES-FileExplorer end-user
This vulnerability was as critical as you can think. All your personal data stored in your android device could be easily stolen using this vulnerability. I reported this bug to ES-FileEplorer and they fixed this bug in v126.96.36.199.4
Now let me explain this vulnerability in detail. ES-File Explorer is a famous file browser used by millions of user. There is a very interesting feature of this application is that it creates a FTP server by which you can access your files by accessing that URL without any authentication. This feature allows end user to access mobile file system remotely. So any body who has a FTP link can access mobile file system. On the sake of security ES-File Explorer allows end user to set master password for this application. So now FTP server can be started only when you are the owner of the mobile and you know the password.
I was bit curious to know how this action is handled by application. I started testing this application. My target was to identify responsible activity first. I decompiled the application and started going through AndroidManifest.xml file. I came across an activity naming ftp.ESFtp. So now I had activity name which was responsible for FTP setup in end user’s mobile. I immediately installed the applicattion and set master password to it. Now I tried to launch ftp.ESFtp activity using adb activity manager. I got access denied error.I tried to access other activities as well but I was getting same error.
I was about to give up on this application but just thought to analyse decompiled binaries as well. Now in the manifest file only I observed an another activity naming .ftp.ESFtpShortcut. I immediately tried to start that.
And this time I got success. Activity was successfuly performed even aftermaster password was set up by the owner.
On notification I observed below message :
And when I accessed same URL from my laptop I got complete access of my mobile’s file system.
I verified this vulnerability with other android versions as well. In real life scenario any hack appliaction could invoke that vulnerable activity and allow attacker to steal personal data of end user. I submitted this vulnerability to ES-File Explorer team. They acknowledged this as a high priority bug and resolved in there next version.
Thank you for spending time to read my first medium post.