SecTor 2025 | Sharing Is Caring About an RCE Attack Chain on Quick Share

Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version. Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined. We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn't done it sooner. We found 10 vulnerabilities, both in Windows & Android, allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user's folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in the form of a complex chain. In this talk, we'll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We'll provide an overview of Quick Share's protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally, the RCE chain. By: Or Yair | Security Researcher, SafeBreach Presentation Materials Available at: https://ift.tt/SyYzDsH

source https://www.youtube.com/watch?v=mafI9UoxL6A