Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Found in Google’s Quick Share Data Transfer Utility

SafeBreach identified 10 vulnerabilities in Google Quick Share and devised a remote code execution chain targeting the file sharing utility for Windows.

Vulnerabilities in Google’s Quick Share data transfer utility could allow threat actors to mount man-in-the-middle (MiTM) attacks and send files to Windows devices without the receiver’s approval, SafeBreach warns.

A peer-to-peer file sharing utility for Android, Chrome, and Windows devices, Quick Share allows users to send files to nearby compatible devices, offering support for communication protocols such as Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC.

Initially developed for Android under the Nearby Share name and released on Windows in July 2023, the utility became Quick Share in January 2024, after Google merged its technology with Samsung’s Quick Share. Google is partnering with LG to have the solution pre-installed on certain Windows devices.

After dissecting the application-layer communication protocol that Quick Share uses for transferring files between devices, SafeBreach discovered 10 vulnerabilities, including issues that allowed them to devise a remote code execution (RCE) attack chain targeting Windows.

The identified defects include two remote unauthorized file write bugs in Quick Share for Windows and Android and eight flaws in Quick Share for Windows: remote forced Wi-Fi connection, remote directory traversal, and six remote denial-of-service (DoS) issues.

The flaws allowed the researchers to write files remotely without approval, force the Windows application to crash, redirect traffic to their own Wi-Fi access point, and traverse paths to the user’s folders, among others.

All vulnerabilities have been addressed and two CVEs were assigned to the bugs, namely CVE-2024-38271 (CVSS score of 5.9) and CVE-2024-38272 (CVSS score of 7.1).

According to SafeBreach, Quick Share’s communication protocol is “extremely generic, full of abstract and base classes and a handler class for each packet type”, which allowed them to bypass the accept file dialog on Windows (CVE-2024-38272).

Advertisement. Scroll to continue reading.

The researchers did this by sending a file in the introduction packet, without waiting for an ‘accept’ response. The packet was redirected to the right handler and sent to the target device without being first accepted.

“To make things even better, we discovered that this works for any discovery mode. So even if a device is configured to accept files only from the user’s contacts, we could still send a file to the device without requiring acceptance,” SafeBreach explains.

The researchers also discovered that Quick Share can upgrade the connection between devices if necessary and that, if a Wi-Fi HotSpot access point is used as an upgrade, it can be used to sniff traffic from the responder device, because the traffic goes through the initiator’s access point.

By crashing the Quick Share on the responder device after it connected to the Wi-Fi hotspot, SafeBreach was able to achieve a persistent connection to mount an MiTM attack (CVE-2024-38271).

At installation, Quick Share creates a scheduled task that checks every 15 minutes if it is running and launches the application if not, thus allowing the researchers to further exploit it.

SafeBreach used CVE-2024-38271 to create an RCE chain: the MiTM attack allowed them to identify when executable files were downloaded via the browser, and they used the path traversal issue to overwrite the executable with their malicious file.

SafeBreach has published comprehensive technical details on the identified vulnerabilities and also presented the findings at the DEF CON 32 conference.

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Fortinet Patches Critical RCE Vulnerability in FortiClientLinux

Related: Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers

Related: Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights