Researchers specializing in cybersecurity have unveiled the details of a newly discovered vulnerability that affects Google’s Quick Share utility, a file transfer tool for Windows. This vulnerability could potentially be exploited to either cause a denial-of-service (DoS) or to send arbitrary files to a target device without obtaining their consent.
This particular flaw, identified as CVE-2024-10668 and carrying a CVSS score of 5.9, acts as a bypass for two of the ten initial shortcomings that were disclosed by SafeBreach Labs in August 2024 under the designation QuickShell. Following a responsible disclosure in August 2024, this issue has been rectified in the Quick Share for Windows version 1.0.2002.2.
A consequence of the collective ten vulnerabilities (tracked as CVE-2024-38271 with a CVSS score of 5.9 and CVE-2024-38272 with a CVSS score of 7.1) was their potential to be fashioned into an exploit chain. This chain could have led to the execution of arbitrary code on Windows hosts.
Quick Share, previously known as Nearby Share, is a peer-to-peer file-sharing utility, similar to Apple’s AirDrop. It allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops when in close physical proximity to each other.
A subsequent analysis by the cybersecurity company revealed that two of the vulnerabilities were not adequately fixed, leading to the application crashing or bypassing the requirement for the recipient to accept the file transfer request. This could result in the direct transmission of a file to the target device without prior approval.
Specifically, the DoS bug could be triggered by utilizing a file name that starts with a different invalid UTF8 continuation byte (e.g., “xc5xff”) instead of a file name commencing with a NULL terminator (“x00”).
On the other hand, the initial fix for the unauthorized file write vulnerability involved marking the transferred files as “unknown” and then deleting them from the disk once the file transfer session was completed.
According to Or Yair, a researcher at SafeBreach, this could be circumvented by sending two different files in the same session with the same “payload ID.” This action would cause the application to delete only one of the files, leaving the other intact in the Downloads folder.
“While this research focuses specifically on the Quick Share utility, the implications are broader and relevant to the software industry as a whole. It suggests that even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix,” Yair emphasized.
