[vuln.sg] ES File Explorer ZIP Extraction Directory Traversal Vulnerability

A ZIP archive extraction directory traversal vulnerability has been found in ES File Explorer. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

This advisory discloses a ZIP archive extaction directory traversal vulnerability in ES File Explorer. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

When extacting compressed files from a ZIP archive, the ZIP extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted ZIP archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user's Android device, possibly overwriting the user's existing files.

For example, a malicious ZIP archive can contain a compressed file with the following filename:

/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt

When the user views a compressed file within a ZIP archive, the ES ZIP Viewer functionality in ES File Explorer will extract the compressed file into the /sdcard/Android/data/com.estrongs.android.pop/tmp/zip temporary directory. ES ZIP Viewer does not properly sanitise compressed files that have directory traversal sequences in their filenames.

By tricking a user to view a compressed file with directory traversal sequences in its filename, an attacker can potentially overwrite known files within the SD card of the user's Android device.

For example, a malicious ZIP archive can contain a compressed file with the following filename:

/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt

When the user views zipPOC.txt using ES ZIP Viewer, it will be temporarily extracted to:
/sdcard/Android/data/com.estrongs.android.pop/tmp/zip/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
 
This causes it to be written into /mnt/sdcard/DCIM/zipPOC.txt.

Instructions for testing Directory Traversal in ZIP Archive Extraction (Example 1):

Copy the POC ZIP archive into the Download directory of your Android device.

IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
Extract the POC ZIP archive into the Current path.

When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/zipPOC.txt.

Hence, by tricking a user to extract a specially-crafted ZIP archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.

For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.

Instructions for testing Directory Traversal in ES Zip Viewer (Example 2):

Delete the zipPOC.txt file that appears in the /mnt/sdcard/DCIM/ directory.

Navigate back to the Download directory and open the POC ZIP archive using the ES ZIP Viewer.

With the POC ZIP archive open in the ES ZIP Viewer, navigate all the way into the POC ZIP archive until you see the zipPOC.txt file. Open the zipPOC.txt file using ES Note Editor.

Now, navigate back to navigate to the /mnt/sdcard/DCIM/ directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt, instead of into the temporary directory.

Avoid extacting untrusted ZIP archives. Update to version 3.0.4 via Play Store when released.

2013-05-19 - Vulnerability Discovered.
2013-05-20 - Initial Vendor Notification.
2013-05-21 - Vulnerability Details Sent to Vendor.
2013-05-23 - Asked Vendor for Release Date of Fixed Version (no reply).
2013-05-28 - Asked Vendor for Release Date of Fixed Version (no reply).
2013-05-28 - Vendor replied that vulnerability will be fixed in version 3.0.4.
2013-05-31 - Public Release.