By reverse-engineering Quick Share’s proprietary communication protocol, researchers uncovered multiple vulnerabilities, including unauthorized file writes, forced Wi-Fi connections, directory traversal, and denial-of-service conditions. 

These flaws were chained together to achieve remote code execution on Windows systems with Quick Share installed, bypass file approval dialogs and establish persistent Wi-Fi connections. 

Google addressed these issues with two CVEs: CVE-2024-38271 for the forced Wi-Fi connection and CVE-2024-38272 for the file approval bypass. 

Researchers reverse-engineered Quick Share’s file transfer protocol by hooking underlying communication functions, revealing its binary packet structure. 

OfflineFrame class

The analysis demonstrated that while Quick Share leverages Bluetooth and Wi-Fi, it implements its own application-layer protocol for file transmission, highlighting a potential attack surface for exploitation. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Quick Share’s communication is done by hooking its Read and Write functions within a base class, where all packets are parsed into protobuf-generated OfflineFrame objects. 

To capture and inspect these packets, they developed a DLL that intercepted the Read and Write functions, logging packet contents for protocol analysis, by facilitating a deep understanding of Quick Share’s communication protocol, regardless of the underlying transport mechanisms.  

DLL

It leverages the Nearby Connections API for offline device discovery and communication by employing Protobuf for data serialization and Ukey2 for encryption.

After a peer-to-peer connection is initiated with a Connection Request, devices exchange Ukey2 packets to establish a secure channel. 

Following successful encryption, a connection response is exchanged, marking the end of the standard Nearby Connections protocol, and then assumes control for subsequent data transfers, building upon the established encrypted connection. 

Ukey2 handshake

Quick Share employs Nearby Connections for file transfer, utilizing OfflineFrame packets for various stages.

Initially, devices exchange Paired Key Encryption and Result packets to establish secure communication and enforce device discovery modes. 

Subsequently, the initiator sends an introduction packet, prompting the responder to accept or decline the file transfer.

Upon acceptance, file data is transmitted within Payload Transfer OfflineFrame packets, completing the transfer process. 

Protobuf structure

Researchers employed WinAFL and DynamoRIO to fuzz Quick Share for Windows, leveraging libprotobuf-mutator for efficient protobuf mutation.

To automate file acceptance, they patched Chromium’s auto-accept feature. 

They also optimized fuzzing by creating a session-based harness and eliminating resource-intensive functions, but encountered race conditions due to increased speed.

Ultimately, due to unreproducible crashes, they reverted to the original, slower Quick Share behavior for reliable fuzzing. 

Making the fuzzing process about 20 times faster

According to Safe Breach, fuzzing uncovered multiple non-exploitable crashes in Quick Share, primarily due to unhandled exceptions and assert failures. 

A critical logic vulnerability was identified: the application’s generic architecture allowed bypassing the file transfer acceptance process, enabling unauthorized file transfer to any device regardless of discovery mode settings, potentially leading to data exfiltration or malware distribution. 

It has been identified that there are multiple vulnerabilities in Quick Share, including remote file writes, forced Wi-Fi connections, path traversal, and DoS conditions.

While these issues enabled file manipulation and network redirection, achieving remote code execution proved elusive due to robust security measures.   

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Similar Posts