August 10, 2024Ravie LakshmananVulnerability / Mobile Security

As many as 10 vulnerabilities have been discovered in Google’s Quick Share data transfer utility for Android and Windows that could be crafted to trigger a remote code execution (RCE) chain on systems where the software was installed.

“The Quick Share application implements a proprietary, application-layer communication protocol to support file transfers between nearby compatible devices,” SafeBreach Labs researchers Or Yair and Shmuel Cohen wrote in a technical report shared with The Hacker News.

“By investigating how the protocol works, we were able to identify and manipulate or circumvent the logic within the Quick Share application for Windows.”

The result is the discovery of 10 vulnerabilities – nine affecting Quick Share for Windows and one affecting Android – that can be transformed into an “innovative and unconventional” RCE attack chain to execute arbitrary code on Windows hosts. The RCE attack chain is codenamed FastShell.

The flaws include six Remote Denial-of-Service (DoS) vulnerabilities, two unauthorized file writing bugs each identified in the Android and Windows versions of the software, one directory traversal, and one instance of forced Wi-Fi connection.

The issues have been fixed in Quick Share version 1.0.1724.0 and later. Google collectively maintains the bugs under the two CVE identifiers below:

• CVE-2024-38271 (CVSS Score: 5.9) – A vulnerability that forces a victim to stay connected to a temporary Wi-Fi connection created for sharing

• CVE-2024-38272 (CVSS score: 7.1) – A vulnerability that could allow an attacker to bypass the “Accept File” dialog on Windows

Quick Share, formerly Nearby Share, is a peer-to-peer file-sharing utility that lets users transfer photos, videos, documents, audio files, or entire folders between Android devices, Chromebooks, and Windows desktops and laptops that are located nearby each other. Both devices must be within 5 m (16 feet) of each other and have Bluetooth and Wi-Fi enabled.

In short, the identified flaws can be used to remotely write files to devices without permission, crash the Windows app, redirect traffic to an attacker-controlled Wi-Fi access point, and traverse paths to the user’s folder.

More importantly, the researchers found that the ability to force the target device to connect to a different Wi-Fi network and create files in the Downloads folder could be combined to trigger a chain of steps ultimately leading to remote code execution.

The findings, presented for the first time today at DEF CON 32, are the culmination of a deeper analysis of the proprietary protocol based on Protobuf and the logic underpinning the system. They are important not least because they highlight how seemingly innocuous known issues can open the door to successful compromise and pose serious risks when combined with other flaws.

“This research reveals the security challenges introduced by the complexity of a data transmission tool that attempts to support so many communications protocols and devices,” SafeBreach Labs said in a statement. “It also underscores the critical security risks that can be created by chaining together seemingly low-risk, known, or unpatched vulnerabilities.”