QuickShell: Sharing is Caring About an RCE Attack Chain on Quick Share

Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version.

Google’s promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined.

We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn’t done it sooner.

We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user’s folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in the form of a complex chain.

In this talk, we’ll introduce QuickShell – An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We’ll provide an overview about Quick Share’s protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain.

By:
Or Yair | Security Research Team Lead, SafeBreach
Shmuel Cohen | Security Researcher, SafeBreach

Full Abstract and Presentation Materials:
https://www.blackhat.com/asia-25/briefings/schedule/#quickshell-sharing-is-caring-about-an-rce-attack-chain-on-quick-share-43874Black HatRead More