1、QuickShellSharing is caring about an RCE attack Sharing is caring about an RCE attack chain on Quick Sharechain on Quick ShareOr YairSecurity Research Team Lead at SafeBreach8 years in Security ResearchPast research in Linux,embedded,Android5 years Windows researchShmuel Cohen-Contributer6+years in
2、Security IndustryPast APT Malware Researcher4+years Windows researchAgendaWhy Quick ShareProtocol OverviewFuzzingResearch Approach Shift+Vulnerability DiscoveryRCE ChainTakeawaysGitHub+Q&AWhat is Quick Share?Quick ShareWhy Quick Share?Quick Share Windows VersionQuick Share Pre-installation“were work
3、ing with leading PC manufacturers like LG to expand Quick Share to Windows PCs as a pre-installed app.”Google:Quick Share Communication MethodsVarious communication methods1st time by Google on WindowsPrevious Research2019 by Daniele Antonioli,Nils Ole Tippenhauer,Kasper Rasmussen:“Nearby Threats:Re
4、versing,Analyzing,and Attacking Googles Nearby Connections on Android”About Nearby Connections APIOnly AndroidNo CVEshttps:/francozappa.github.io/publication/rearby/paper.pdfNearby&Chromium Open-Source ReposContain part of the code for Quick Share for Windows New Windows App New App New vulnsWindows
5、 app will be pre-installedVarious communication methods Various attack vectorsGoogles first Windows app to use these APIsSome of the code is open-sourceNo CVEsWhy Quick ShareResearch GoalFirst RCE in Quick ShareProtocol InvestigationInvestigating The“nearby”repoFinding the communication functions Se
6、nd&Recv:Protobuf and Offline FramesProtobuf and Offline Framesoffline_wire_formats.protoQuickSniff 1stToolHooking Quick Share to sniff sent and received Offline Frames on WindowsProtocol OverviewNearby Connections APIQuick Share ImplementationNearby Connections APIProtobuf BasedEncryption-Googles Uk