Vulnerabilities in Google’s Quick Share data transfer utility could allow threat actors to mount man-in-the-middle (MiTM) attacks and send files to Windows devices without the receiver’s approval, SafeBreach warns.
A peer-to-peer file sharing utility for Android, Chrome, and Windows devices, Quick Share allows users to send files to nearby compatible devices, offering support for communication protocols such as Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC.
Initially developed for Android under the Nearby Share name and released on Windows in July 2023, the utility became Quick Share in January 2024, after Google merged its technology with Samsung’s Quick Share. Google is partnering with LG to have the solution pre-installed on certain Windows devices.
After dissecting the application-layer communication protocol that Quick Share uses for transferring files between devices, SafeBreach discovered 10 vulnerabilities, including issues that allowed them to devise a remote code execution (RCE) attack chain targeting Windows.
The identified defects include two remote unauthorized file write bugs in Quick Share for Windows and Android and eight flaws in Quick Share for Windows: remote forced Wi-Fi connection, remote directory traversal, and six remote denial-of-service (DoS) issues.
The flaws allowed the researchers to write files remotely without approval, force the Windows application to crash, redirect traffic to their own Wi-Fi access point, and traverse paths to the user’s folders, among others.
All vulnerabilities have been addressed and two CVEs were assigned to the bugs, namely CVE-2024-38271 (CVSS score of 5.9) and CVE-2024-38272 (CVSS score of 7.1).
According to SafeBreach, Quick Share’s communication protocol is “extremely generic, full of abstract and base classes and a handler class for each packet type”, which allowed them to bypass the accept file dialog on Windows (CVE-2024-38272).
The researchers did this by sending a file in the introduction packet, without waiting for an ‘accept’ response. The packet was redirected to the right handler and sent to the target device without being first accepted.
“To make things even better, we discovered that this works for any discovery mode. So even if a device is configured to accept files only from the user’s contacts, we could still send a file to the device without requiring acceptance,” SafeBreach explains.
The researchers also discovered that Quick Share can upgrade the connection between devices if necessary and that, if a Wi-Fi HotSpot access point is used as an upgrade, it can be used to sniff traffic from the responder device, because the traffic goes through the initiator’s access point.
By crashing the Quick Share on the responder device after it connected to the Wi-Fi hotspot, SafeBreach was able to achieve a persistent connection to mount an MiTM attack (CVE-2024-38271).
At installation, Quick Share creates a scheduled task that checks every 15 minutes if it is running and launches the application if not, thus allowing the researchers to further exploit it.
SafeBreach used CVE-2024-38271 to create an RCE chain: the MiTM attack allowed them to identify when executable files were downloaded via the browser, and they used the path traversal issue to overwrite the executable with their malicious file.
SafeBreach has published comprehensive technical details on the identified vulnerabilities and also presented the findings at the DEF CON 32 conference.
Related: Details of Atlassian Confluence RCE Vulnerability Disclosed
Related: Fortinet Patches Critical RCE Vulnerability in FortiClientLinux
Related: Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers
Related: Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability
