About 10 security flaws were discovered in Google Quick exchange a data transfer utility for Android and Windows that can be compiled to run a Remote Code Execution (RCE) chain on systems where the software is installed.
“The Quick Share app implements its own application-level communication protocol to support file transfers between nearby compatible devices,” SafeBreach Labs researchers Or Yair and Shmuel Cohen said in a technical report shared with The Hacker News.
“By investigating how the protocol works, we were able to explain and identify logic within the Quick Share Windows application that we can manipulate or bypass.”
The result revealed 10 vulnerabilities — nine affecting Quick Share for Windows and one affecting Android — that could be turned into an “innovative and unconventional” RCE attack chain to run arbitrary code on Windows hosts. The RCE attack chain is codenamed QuickShell.
The flaws cover six remote denial of service (DoS) flaws, two unauthorized file writing bugs, each found in the Android and Windows versions of the software, one directory traversal, and one case of forced Wi-Fi connection.
The issues were resolved in Quick Share version 1.0.1724.0 and later. Google jointly tracks the flaws under the two CVE IDs below –
- CVE-2024-38271 (CVSS Score: 5.9) – Vulnerability that causes a victim to remain connected to a temporary Wi-Fi connection created for sharing
- CVE-2024-38272 (CVSS Score: 7.1) – Vulnerability that allows an attacker to bypass the file acceptance dialog box in Windows
Quick Share, formerly Nearby Share, is a peer-to-peer file sharing utility that allows users to transfer photos, videos, documents, audio files, or entire folders between nearby Android devices, Chromebooks, and Windows desktops and laptops. Both devices must be within 5 m (16 ft) of each other with Bluetooth and Wi-Fi enabled.
In a nutshell, the discovered flaws can be used to remotely write files to devices without permission, force a Windows program to crash, redirect its traffic to an attacker-controlled Wi-Fi access point, and pass user folder paths.
But more importantly, the researchers found that the ability to force a target device to connect to a different Wi-Fi network and create files in the Downloads folder could be combined to initiate a chain of steps that would eventually lead to remote code execution.
conclusions, presented for the first time at DEF CON 32 today are the culmination of a deeper analysis of the Protobuf-based proprietary protocol and logic behind the system. They are important not least because they highlight how seemingly innocuous known problems can open the door to successful compromise and can present serious risks when combined with other weaknesses.
“This research exposes the security issues associated with the complexity of a data transfer utility that tries to support so many communication protocols and devices,” SafeBreach Labs said in a statement. “It also highlights the critical security risks that can arise from chaining together seemingly low-risk, known or unpatched vulnerabilities.”
