Discover how researchers exploited vulnerabilities in Google’s Quick Share to achieve remote code execution (RCE). Learn about the “QuickShell” attack chain and the critical security risks posed by this popular file-sharing app.
A groundbreaking presentation at Defcon 32 has revealed critical flaws in Google’s Quick Share, a peer-to-peer data-transfer utility for Android, Windows, and Chrome operating systems. Quick Share boasts impressive versatility, utilizing Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC to facilitate peer-to-peer file transfers however, these protocols are not designed for file transfers but rather to establish stable device connections for communication purposes.
Security researchers Or Yair and Shmuel Cohen from SafeBreach have discovered a chain of vulnerabilities that can be exploited to achieve Remote Code Execution (RCE) on Windows systems, allowing attackers to bypass security controls and execute arbitrary code on target devices.
Researchers studied the Protobuf-based protocol, built tools for communication with Quick Share devices, and leveraging a custom-built fuzzer they uncovered ten vulnerabilities in both the Windows and Android versions of the application. These vulnerabilities weren’t mere annoyances; they opened a backdoor for attackers. The researchers could exploit them to:
- Force File Downloads: Bypass user approval and write malicious files directly onto a target device.
- Hijack Wi-Fi Connections: Redirect a target device’s Wi-Fi traffic to a malicious access point controlled by the attacker.
The most troubling however was the RCE attack chain on Windows, which they have dubbed QuickShell. This resulted from combining 5 out of 10 vulnerabilities in Quick Share, highlighting the ease with which they could escalate privileges from a seemingly benign file-sharing application to full system control.
The core of the attack involved combining multiple vulnerabilities to bypass security measures and execute malicious code. Essentially, they transformed a file-sharing app into a tool for complete system control.
Google has acknowledged the severity of the issue by assigning CVEs to two of the vulnerabilities: CVE-2024-38271 for a forced persistent Wi-Fi connection exploit and CVE-2024-38272 for a file approval dialogue bypass.
“We greatly appreciate research from the security community that helps keep our users safe. We have deployed fixes for all of the reported vulnerabilities. To our knowledge, these vulnerabilities have not been exploited in the wild. No action is required by Quick Share users. The fixes will be automatically applied,” Google’s statement read.
However, the broader implications of the QuickShell attack chain remain a significant concern. The research highlights the security challenges of a data-transfer utility that supports multiple communication protocols and devices, and the critical risks of chaining seemingly low-risk, known, or unfixed vulnerabilities together. Quick Share needs to implement its own application-layer communication protocol over existing protocols to prevent such issues.
RELATED TOPICS
- White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom
- Google Patches Critical Chrome Vulnerability and Additional Flaws
- Google issues patches for Chrome flaw for Windows, Mac and Linux
- Google Workspace Flaw Allowed Hackers to Access 3rd-Party Services
- Google shares details of unpatched Windows AppContainer vulnerability
