Recent findings from cybersecurity experts reveal a vulnerability in Google’s Quick Share data transfer tool for Windows, which can be manipulated to cause denial-of-service (DoS) issues or transmit files to users’ devices without their consent. This flaw underscores serious security concerns for users relying on this peer-to-peer file-sharing utility.
Categorized as CVE-2024-10668 with a CVSS score of 5.9, this vulnerability is a bypass of two issues initially identified by SafeBreach Labs in August 2024, collectively known as QuickShell. Google addressed this vulnerability in Quick Share for Windows version 1.0.2002.2, following responsible disclosure procedures.
These ten related vulnerabilities were tracked under CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1) and had the potential to create an exploit chain leading to arbitrary code execution on Windows machines. Quick Share allows users to share files, akin to Apple’s AirDrop, across Android devices, Chromebooks, and Windows PCs that are in close proximity.
Further investigations by cybersecurity analysts revealed that two of the vulnerabilities were not adequately resolved, leading to recurring crashes of the application or the circumvention of file transfer acceptance protocols. Notably, the DoS exploit could be activated by employing a file name that initiates with an invalid UTF8 continuation byte, contrasting with a standard NULL terminator.
Meanwhile, the initial remediation for the unauthorized file write issue only partially addressed the risk by categorizing transferred files as “unknown” and subsequently eliminating them post-transfer. However, as pointed out by SafeBreach researcher Or Yair, attackers could leverage this by sending two files in a single session, resulting in one file being deleted while the other remains intact in the Downloads directory.
This situation signifies a noteworthy lesson for software developers, emphasizing the importance of diagnosing and rectifying the root causes of vulnerabilities rather than implementing superficial fixes. Yair stated that the implications of this research extend beyond Quick Share, serving as a cautionary tale for the broader software industry.
Given the context of these vulnerabilities, various MITRE ATT&CK tactics and techniques may be applicable, particularly concerning initial access strategies and privilege escalation methods that could be employed by adversaries. Effectively understanding and addressing these tactics is crucial for organizations aiming to strengthen their cybersecurity posture.
