Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent
Cybersecurity researchers have disclosed details of a new vulnerability impacting Google’s Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target’s device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by SafeBreach Labs in August 2024 under the name QuickShell. It has been addressed in Quick Share for Windows version 1.0.2002.2 following responsible disclosure in August 2024.
A consequence of these 10 vulnerabilities, collectively tracked as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), was that they could have been fashioned into an exploit chain to obtain arbitrary code execution on Windows hosts.
Quick Share (previously Nearby Share) is a peer-to-peer file-sharing utility similar to Apple AirDrop that allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity.
A follow-up analysis by the cybersecurity company found that two of the vulnerabilities were not fixed correctly, once again causing the application to crash or bypass the need for a recipient to accept the file transfer request by directly transmitting a file to the device.
Specifically, the DoS bug could be triggered by using a file name that starts with a different invalid UTF8 continuation byte (e.g., “\xc5\xff”) instead of a file name that begins with a NULL terminator (“\x00”).
On the other hand, the initial fix for the unauthorized file write vulnerability marked such transferred files as “unknown” and deleted them from the disk after the file transfer session was complete.
This, SafeBreach researcher Or Yair said, could be circumvented by sending two different files in the same session with the same “payload ID,” causing the application to delete only one of them, leaving the other intact in the Downloads folder.
“While this research is specific to the Quick Share utility, we believe the implications are relevant to the software industry as a whole and suggest that even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix,” Yair said.
