Security Researcher Elliot Alderson announced the discovery of a new vulnerability in the ES File Explorer for Android. It was reported that the vulnerability can expose files and information on the device to anyone on the same network just by opening the app one time. After the app launches, ES leaves port 59777 open on the phone, which can then enable attackers to access the phone by exploiting that open port to inject a JSON payload.
ES was made aware of the issue and released an updated version to the Google Play store, so users should upgrade immediately.
SEE: Information security policy template download (Tech Pro Research)
Note that when I reviewed the app on the Google Play store I was surprised to find out that I had it installed as well, and so I quickly updated it. This can be common when dealing with the Android world especially if you’re a techie like me who likes to try and review various apps. So, when you hear about an issue with any given app always check to see if it’s on your device if you are not sure.
According to Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team), the ES File Explorer ‘Open Port’ vulnerability is far more serious than originally reported.
“The truth is that attackers do not actually need to be on the same network as the victim phone thanks to DNS rebinding,” said Young. “With this attack model, a website loaded on the phone or by any user on the same network can directly interact with the vulnerable HTTP server. This enables a remote attacker to harvest files and system information from vulnerable devices. An attack could be launched through hacked web pages, malicious advertising, or even a tweeted video.”
How to harvest information from a device
I had the chance to speak with Young about how files/system information can be harvested from a device, among other security topics.
Scott Matteson: Can you provide an example of how files/system information can be harvested from a device, among other security topics?
Craig Young: Files and device details can be harvested through specialized web requests directed at the phone. The simplest example would be a public Wi-Fi like a café. In this scenario, anyone else on the same Wi-Fi could use a freely available hacking tool to identify phones or tablets connected to the network and running the vulnerable application. The attacker could use this program to list what files and apps are on the device as well as general information about the system.
A more sophisticated attack would be for the attacker to send spam email, IM, and SMS with links to an attack page. Once loaded, the attack page can discover vulnerable devices connected to the same network as whoever opened the attacker’s link. Alternatively, an attacker may implant this malicious content into advertising and pay popular websites to deliver the exploit to visitors.
SEE: Phishing attacks: A guide for IT pros (TechRepublic download)
Scott Matteson: Can data/information from micro-SD cards also be at risk?
Craig Young: Data, which is primarily at risk, would be downloaded files as well as pictures and videos made on the device. In most cases, all files on an installed micro-SD card would be accessible to the attacker.
Scott Matteson: Do you recommend users switch to alternative options from ES File Explorer?
Craig Young: Yes. I recommend that all ES File Explorer users discontinue use of the application. Even with the latest update to correct this vulnerability, the application is still listening on the network, and I expect it is only a matter of time before another exploit is discovered. Quite frankly, there is no need for an application like ES File Explorer on a modern Android device anyway.
Scott Matteson: How can a vulnerability of this nature normally be detected?
Craig Young: There are very little in the way of options for detecting these attacks in progress. If an attack has happened in the past, it is highly unlikely that there would be any evidence of the data loss.
Scott Matteson: How can this type of thing be protected against (anti-malware, system logs, etc.)?
Craig Young: Removing the app is the only way to be protected. Although upgrading to the latest version does prevent the currently known attack, there is no reason to trust this application or to expect that a similar flaw will not be discovered. I find it unlikely that any mobile anti-malware software would have protected against this. While there are some firewall applications, which may be able to prevent the attack, I am unaware of any such tool that would have protected the user without the user knowing about the vulnerability and applying a special configuration.