Tuesday, 4 February 2014

Path Traversal Vulnerability in File Explorer (FX) for Android

# Disclosure Date: 31 Jan 2014
# Author: Keith Makan
# Vendor or Software Link: https://play.google.com/store/apps/details?id=nextapp.fx&hl=en
# Version: 
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash


File Explorer (FX) for Android Suffers from a Path Traversal and android.permission.storage permission leakage vulnerability.


Malicious Android applications with no Permissions are capable of leaking the contents of a victims local file system.

An estimated 500,000 - 1,000,000 installs are currently affected.

Proof of concept:

*Disclaimer* This application may be affected by other vulnerabilities.