The patches Google rolled out last year to address vulnerabilities in the Quick Share data transfer utility that could lead to remote code execution (RCE) were incomplete and could easily be bypassed, cybersecurity firm SafeBreach says.
Quick Share was initially developed for Android only, but was later released on Windows and Chrome as well, allowing users to share files with compatible devices nearby over Bluetooth, Wi-Fi, NFC, and other protocols.
In August last year, Safebreach shared details on 10 flaws in Quick Share for Windows that could allow attackers to write files to a target device without a user’s approval, cause crashes, redirect traffic, and perform other malicious actions.
Collectively tracked as CVE-2024-38271 (CVSS score of 5.9) and CVE-2024-38272 (CVSS score of 7.1), the issues were quickly patched by Google to prevent man-in-the-middle (MiTM) attacks that could eventually lead to RCE.
Now, SafeBreach says that the fixes were incomplete, and that the application was still prone to denial-of-service (DoS) and remote unauthorized arbitrary file write attacks.
Quick Share, the security firm says, could be crashed when sending a file containing invalid UTF8 continuation bytes in its name. The initial report showed that a null terminator could be used in the attack, but further investigation after the patch revealed that different invalid UTF8 continuation bytes could be used as well.
More importantly, SafeBreach discovered that the patch for the unauthorized file write – which involved Quick Share to delete the ‘unknown file’ used in the exploit when the transfer session was over – did not resolve the issue.
“This was the critical vulnerability we initially discovered that allowed us to bypass the need for a file-transfer acceptance from the Quick Share user and instead send a file directly to their device without approval,” SafeBreach says.
Google resolved the flaw by having Quick Share delete the ‘unknown file’, but did not consider the possibility that two files with the same ‘payload ID’ would be transferred during the same session. Because of that, the application would delete only the first file to be sent.
“We ran the exact same exploit that we ran for the original vulnerability, but instead sent two PayloadTransfer packets of type FILE. We set different file names and contents for the two packets, but set the payload IDs to be the same,” SafeBreach says.
The bypass, tracked as CVE-2024-10668, was resolved in November 2024. Quick Share for Windows version 1.0.2002.2 contains patches for all vulnerabilities.
Related: VMware Patches Authentication Bypass Flaw in Windows Tools Suite
Related: SonicWall Patches Authentication Bypass Vulnerabilities in Firewalls
Related: Microsoft MFA Bypassed via AuthQuake Attack
Related: Glove Stealer Malware Bypasses Chrome’s App-Bound Encryption
