QuickShell: Sharing is Caring About an RCE Attack Chain on Quick Share

#1706504: QuickShell: Sharing is Caring About an RCE Attack Chain on Quick Share - October 16th, 2025

Description:	Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version. Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined. We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn't done it sooner. We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user's folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in the form of a complex chain. In this talk, we'll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We'll provide an overview about Quick Share's protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain. Speaker: Or Yair, Security Research Team Lead, SafeBreach Or Yair is a security research professional with seven years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system's components, though his past work also included research of Linux kernel components and some Android components. Or has already presented his vulnerability and security research discoveries internationally at conferences he spoke at such as Black Hat USA 2023, Black Hat Asia 2024, Black Hat Europe 2022, DEF CON 32 (2024), SecTor 2023, RSAC 2023, Security Fest 2023, CONFidence 2023 & 2024 and more
More info:	https://bh-digital.blackhat.com/free/w_defa9081/

Description:

Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version.

Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined.

We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn't done it sooner.

We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user's folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in the form of a complex chain.

In this talk, we'll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We'll provide an overview about Quick Share's protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain.

Speaker:

Or Yair, Security Research Team Lead, SafeBreach
Or Yair is a security research professional with seven years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system's components, though his past work also included research of Linux kernel components and some Android components. Or has already presented his vulnerability and security research discoveries internationally at conferences he spoke at such as Black Hat USA 2023, Black Hat Asia 2024, Black Hat Europe 2022, DEF CON 32 (2024), SecTor 2023, RSAC 2023, Security Fest 2023, CONFidence 2023 & 2024 and more

More info:

https://bh-digital.blackhat.com/free/w_defa9081/

Date added	Oct. 11, 2025, 8:34 a.m.
Source	Black Hat
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Remote Code Execution (RCE) Vulnerability
Venue	Oct. 16, 2025, midnight - Oct. 16, 2025, midnight