QuickShell: Sharing is caring about an RCE attack chain on Quick Share

Presented at DEF CON 32 (2024), Aug. 10, 2024, 11:30 a.m. (45 minutes).

Quick Share (formerly Nearby Share) has enabled file sharing on Android for 4 years and expanded to Windows a year ago. Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined. We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logical vulnerabilities, and boy oh boy, we regretted we hadn’t done it sooner. We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user’s folder, and more. However, we desired the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in a form of a complex chain. In this talk, we’ll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We’ll provide an overview about Quick Share’s protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain. [Reference link](https://www.cs.ox.ac.uk/files/10367/ndss19-paper367.pdf)

Presenters:

• Or Yair - Security Research Team Lead at SafeBreach
  Or Yair is a security research professional with six years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system’s components, though his past work also included research of Linux kernel components and some Android components. Or has already presented his vulnerability and security research discoveries internationally at conferences he spoke at such as Black Hat USA 2023, Black Hat Asia 2024, Black Hat Europe 2022, SecTor 2023, RSAC 2023, Security Fest 2023, CONFidence 2023 & 2024 and more
• Shmuel Cohen - Senior Security Researcher at SafeBreach
  Shmuel Cohen is a cybersecurity professional, who has a diverse background. After he pursued a Bachelor of Science degree in Computer Science, he had the privilege of working at CheckPoint, where he spent 1.5 years developing software and another 1.5 years working as a malware security researcher. As his interest grew in vulnerability research, he decided to join SafeBreach, where he has been able to focus his energies on exploring and addressing vulnerabilities in cybersecurity. Shmuel has previously spoken at BlackHat USA 2023, twice at Black Hat Asia 2024, and twice at CONFidence 2024.

Similar Presentations:

• Black Hat USA 2011 / Easy and quick vulnerability hunting in Windows
• DEF CON 29 (2021) / 2021 - Our Journey Back To The Future Of Windows Vulnerabilities and the 0-days we brought back with us
• Black Hat USA 2021 / Exploiting Windows COM/WinRT Services