Google’s Quick Share Vulnerabilities Let Attackers Execute Remote Code

By reverse-engineering Quick Share’s proprietary communication protocol, researchers uncovered multiple vulnerabilities, including unauthorized file writes, forced Wi-Fi connections, directory traversal, and denial-of-service conditions. 

These flaws were chained together to achieve remote code execution on Windows systems with Quick Share installed, bypass file approval dialogs and establish persistent Wi-Fi connections. 

Google addressed these issues with two CVEs: CVE-2024-38271 for the forced Wi-Fi connection and CVE-2024-38272 for the file approval bypass. 

Researchers reverse-engineered Quick Share’s file transfer protocol by hooking underlying communication functions, revealing its binary packet structure. 

OfflineFrame class

The analysis demonstrated that while Quick Share leverages Bluetooth and Wi-Fi, it implements its own application-layer protocol for file transmission, highlighting a potential attack surface for exploitation. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Quick Share’s communication is done by hooking its Read and Write functions within a base class, where all packets are parsed into protobuf-generated OfflineFrame objects. 

To capture and inspect these packets, they developed a DLL that intercepted the Read and Write functions, logging packet contents for protocol analysis, by facilitating a deep understanding of Quick Share’s communication protocol, regardless of the underlying transport mechanisms.  

DLL

It leverages the Nearby Connections API for offline device discovery and communication by employing Protobuf for data serialization and Ukey2 for encryption.

After a peer-to-peer connection is initiated with a Connection Request, devices exchange Ukey2 packets to establish a secure channel. 

Following successful encryption, a connection response is exchanged, marking the end of the standard Nearby Connections protocol, and then assumes control for subsequent data transfers, building upon the established encrypted connection. 

Ukey2 handshake

Quick Share employs Nearby Connections for file transfer, utilizing OfflineFrame packets for various stages.

Initially, devices exchange Paired Key Encryption and Result packets to establish secure communication and enforce device discovery modes. 

Subsequently, the initiator sends an introduction packet, prompting the responder to accept or decline the file transfer.

Upon acceptance, file data is transmitted within Payload Transfer OfflineFrame packets, completing the transfer process. 

Protobuf structure

Researchers employed WinAFL and DynamoRIO to fuzz Quick Share for Windows, leveraging libprotobuf-mutator for efficient protobuf mutation.

To automate file acceptance, they patched Chromium’s auto-accept feature. 

They also optimized fuzzing by creating a session-based harness and eliminating resource-intensive functions, but encountered race conditions due to increased speed.

Ultimately, due to unreproducible crashes, they reverted to the original, slower Quick Share behavior for reliable fuzzing. 

Making the fuzzing process about 20 times faster

According to Safe Breach, fuzzing uncovered multiple non-exploitable crashes in Quick Share, primarily due to unhandled exceptions and assert failures. 

A critical logic vulnerability was identified: the application’s generic architecture allowed bypassing the file transfer acceptance process, enabling unauthorized file transfer to any device regardless of discovery mode settings, potentially leading to data exfiltration or malware distribution. 

It has been identified that there are multiple vulnerabilities in Quick Share, including remote file writes, forced Wi-Fi connections, path traversal, and DoS conditions.

While these issues enabled file manipulation and network redirection, achieving remote code execution proved elusive due to robust security measures.   

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s Annual…

6 hours ago

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL Launch…

13 hours ago

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being actively…

14 hours ago

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to solve…

15 hours ago

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and raising…

17 hours ago

Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK version…

17 hours ago