Investigative Team Reveals 10 Defects in Google’s File Transfer Tool Quick Share
A total of 10 security weaknesses have been unveiled in Google’s Quick Share data transfer utility for Android and Windows which could be utilized to initiate a chain for remote code execution (RCE) on systems with the software installed.
“The application Quick Share utilizes a proprietary communication protocol to facilitate file transfers between nearby, compatible devices,” researchers Or Yair and Shmuel Cohen from SafeBreach Labs explained in a detailed report shared with The Hacker News.
“Through an examination of the protocol’s operations, we managed to fuzz and pinpoint logic within the Quick Share application for Windows that we could alter or circumvent.”
The outcome is the identification of 10 vulnerabilities – nine affecting the Windows version of Quick Share and one affecting Android – that could be molded into an “innovative and unconventional” RCE chain to execute arbitrary code on Windows machines. This RCE sequence is now known as QuickShell.
The drawbacks consist of six remote denial-of-service (DoS) vulnerabilities, two unauthorized files write vulnerabilities each discovered in the Android and Windows editions of the tool, one directory traversal issue, and one incident of forced connection to a Wi-Fi network.
These concerns have been rectified in Quick Share version 1.0.1724.0 and onwards. Google is tracking these vulnerabilities collectively under the following two CVE identifiers –
- CVE-2024-38271 (CVSS score: 5.9) – A flaw that compels a user to remain connected to a temporary Wi-Fi network set up for sharing purposes
- CVE-2024-38272 (CVSS score: 7.1) – A vulnerability enabling an attacker to bypass the file acceptance dialog on Windows
Quick Share, previously known as Nearby Share, is a platform for peer-to-peer file transfers enabling users to send photos, videos, documents, audio files, or entire folders between Android devices, Chromebooks, and Windows PCs in close vicinity. Both devices must be within a range of 5 m (16 feet) with Bluetooth and Wi-Fi turned on.
To summarize, the identified defects could be exploited to remotely write files onto devices without authorization, cause the Windows application to crash, redirect its data flow to a Wi-Fi access point managed by an attacker, and traverse through paths to access the user’s directory.
Of particular significance, the research team discovered that compelling the target device to connect to a different Wi-Fi network and creating files in the Downloads directory could be merged to initiate a sequence of actions which ultimately result in remote code execution.
The discoveries, first unveiled at DEF CON 32 today, are a product of an in-depth analysis of the Protobuf-based proprietary protocol and the foundational logic of the system. These findings are noteworthy not only due to their ability to expose the inherent risks posed when combining seemingly innocuous known issues into a successful breach, but they also underscore the critical security vulnerabilities that can arise by chaining together vulnerabilities deemed low-risk, known, or unresolved.
“This research brings to light the security hurdles posed by the intricate nature of a data transfer tool attempting to support a multitude of communication protocols and devices,” stated SafeBreach Labs. “It further underscores the significant security risks that can emerge by chaining together vulnerabilities that may initially appear low-risk, known, or unresolved.”
About Author
