Google has rolled out a second fix for vulnerabilities in its Quick Share for Windows utility that initially went unpatched, according to cybersecurity firm SafeBreach. The earlier fixes introduced last year failed to address all security flaws, leaving the system still vulnerable to attacks.
Quick Share, initially developed for Android, was expanded to Windows and Chrome to enable file sharing between devices via Bluetooth, Wi-Fi, NFC, and other protocols. In August, SafeBreach reported 10 flaws in Quick Share for Windows, which could be exploited to perform remote code execution (RCE), unauthorized file transfers, crashes, and traffic redirection.
The vulnerabilities, tracked under CVE-2024-38271 (CVSS score 5.9) and CVE-2024-38272 (CVSS score 7.1), were patched quickly by Google to mitigate man-in-the-middle (MiTM) attacks. However, SafeBreach has now revealed that these patches were incomplete, as Quick Share remained vulnerable to Denial-of-Service (DoS) and unauthorized file write attacks.
A major issue discovered after the initial fix is that Quick Share could still crash when transferring files with invalid UTF8 continuation bytes in the file name. While the first report pointed to a null terminator in the file name as a trigger for the flaw, further research indicated that other invalid UTF8 continuation bytes could also exploit the issue.
The critical flaw allowing unauthorized file writes was only partially addressed by the patch. The flaw involved Quick Share deleting an ‘unknown file’ at the end of a transfer session to block the exploit. However, the fix failed to account for the possibility of two files with the same payload ID being transferred in the same session. This led to only the first file being deleted, enabling attackers to bypass the patch.
SafeBreach demonstrated the flaw by sending two PayloadTransfer packets with different file names and contents but the same payload ID. This exploitation method led to a bypass of the original patch.
The vulnerability, tracked as CVE-2024-10668, was resolved with the release of Quick Share for Windows version 1.0.2002.2 in November 2024. The new update addresses all identified vulnerabilities and prevents future exploits.
