Saturday, December 7, 2024
HomeCVE/vulnerabilityGoogle's Quick Share Vulnerabilities Let Attackers Execute Remote Code

Google’s Quick Share Vulnerabilities Let Attackers Execute Remote Code

Published on

SIEM as a Service

By reverse-engineering Quick Share’s proprietary communication protocol, researchers uncovered multiple vulnerabilities, including unauthorized file writes, forced Wi-Fi connections, directory traversal, and denial-of-service conditions. 

These flaws were chained together to achieve remote code execution on Windows systems with Quick Share installed, bypass file approval dialogs and establish persistent Wi-Fi connections. 

Google addressed these issues with two CVEs: CVE-2024-38271 for the forced Wi-Fi connection and CVE-2024-38272 for the file approval bypass. 

- Advertisement - SIEM as a Service

Researchers reverse-engineered Quick Share’s file transfer protocol by hooking underlying communication functions, revealing its binary packet structure. 

OfflineFrame class

The analysis demonstrated that while Quick Share leverages Bluetooth and Wi-Fi, it implements its own application-layer protocol for file transmission, highlighting a potential attack surface for exploitation. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Quick Share’s communication is done by hooking its Read and Write functions within a base class, where all packets are parsed into protobuf-generated OfflineFrame objects. 

To capture and inspect these packets, they developed a DLL that intercepted the Read and Write functions, logging packet contents for protocol analysis, by facilitating a deep understanding of Quick Share’s communication protocol, regardless of the underlying transport mechanisms.  

DLL

It leverages the Nearby Connections API for offline device discovery and communication by employing Protobuf for data serialization and Ukey2 for encryption.

After a peer-to-peer connection is initiated with a Connection Request, devices exchange Ukey2 packets to establish a secure channel. 

Following successful encryption, a connection response is exchanged, marking the end of the standard Nearby Connections protocol, and then assumes control for subsequent data transfers, building upon the established encrypted connection. 

Ukey2 handshake

Quick Share employs Nearby Connections for file transfer, utilizing OfflineFrame packets for various stages.

Initially, devices exchange Paired Key Encryption and Result packets to establish secure communication and enforce device discovery modes. 

Subsequently, the initiator sends an introduction packet, prompting the responder to accept or decline the file transfer.

Upon acceptance, file data is transmitted within Payload Transfer OfflineFrame packets, completing the transfer process. 

Protobuf structure

Researchers employed WinAFL and DynamoRIO to fuzz Quick Share for Windows, leveraging libprotobuf-mutator for efficient protobuf mutation.

To automate file acceptance, they patched Chromium’s auto-accept feature. 

They also optimized fuzzing by creating a session-based harness and eliminating resource-intensive functions, but encountered race conditions due to increased speed.

Ultimately, due to unreproducible crashes, they reverted to the original, slower Quick Share behavior for reliable fuzzing. 

Making the fuzzing process about 20 times faster

According to Safe Breach, fuzzing uncovered multiple non-exploitable crashes in Quick Share, primarily due to unhandled exceptions and assert failures. 

A critical logic vulnerability was identified: the application’s generic architecture allowed bypassing the file transfer acceptance process, enabling unauthorized file transfer to any device regardless of discovery mode settings, potentially leading to data exfiltration or malware distribution. 

It has been identified that there are multiple vulnerabilities in Quick Share, including remote file writes, forced Wi-Fi connections, path traversal, and DoS conditions.

While these issues enabled file manipulation and network redirection, achieving remote code execution proved elusive due to robust security measures.   

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...