Login Sign Up

CVE-2020-35173

9.8 CRITICAL

📋 TL;DR

This vulnerability allows any app on an Android device to start or stop the FTP server in Amaze File Manager without permission. It affects Android users running Amaze File Manager versions before 3.4.2, potentially exposing files to unauthorized access.

💻 Affected Systems

Products:
  • Amaze File Manager
Versions: All versions before 3.4.2
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of affected versions. No special configuration is required for exploitation.

📦 What is this software?

Amaze File Manager by Amaze File Manager Project

View all CVEs affecting Amaze File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could start the FTP server without user consent, exposing all files accessible by the app to network access, potentially leading to data theft or unauthorized file modifications.

🟠

Likely Case

Malicious apps could silently enable the FTP server, allowing attackers to access files over the network when the device is connected to untrusted networks.

🟢

If Mitigated

With proper intent restrictions, only authorized components can control the FTP server, preventing unauthorized activation.

🌐 Internet-Facing: HIGH - If the FTP server is started, it creates a network service that could be accessed from the internet if the device is on a public network or has port forwarding.
🏢 Internal Only: MEDIUM - Even on internal networks, unauthorized FTP server activation could expose files to other devices on the same network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires a malicious app to be installed on the same device, which can then send the unprotected intents without user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.2

Vendor Advisory: https://github.com/TeamAmaze/AmazeFileManager/pull/1815

Restart Required: No

Instructions:

1. Open Google Play Store 2. Search for Amaze File Manager 3. Update to version 3.4.2 or later 4. Alternatively, download from GitHub releases

🔧 Temporary Workarounds

Disable FTP Server Feature

android

Manually disable the FTP server feature in app settings to prevent exploitation

Uninstall Vulnerable Version

android

Remove the vulnerable application until patched version can be installed

🧯 If You Can't Patch

  • Restrict installation of unknown apps and monitor for suspicious applications
  • Use network segmentation to isolate Android devices from sensitive networks

🔍 How to Verify

Check if Vulnerable:

Check app version in Settings > Apps > Amaze File Manager. If version is below 3.4.2, you are vulnerable.

Check Version:

Not applicable for Android apps via command line. Use device settings or app info.

Verify Fix Applied:

Confirm app version is 3.4.2 or higher in app settings.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected FTP server start/stop events in app logs
  • Network connections to FTP port 2121 from unexpected sources

Network Indicators:

  • Unexpected FTP traffic (port 2121) from Android devices
  • FTP authentication attempts without user initiation

SIEM Query:

Not typically applicable for mobile app vulnerabilities on personal devices

📊 Metadata

CVE ID: CVE-2020-35173
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 30, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON