By reverse-engineering Quick Share’s proprietary communication protocol, researchers uncovered multiple vulnerabilities, including unauthorized file writes, forced Wi-Fi connections, directory traversal, and denial-of-service conditions.  These flaws were chained together to achieve remote code execution on Windows systems with Quick Share installed, bypass file approval dialogs and establish persistent Wi-Fi connections.  Google addressed these issues with two CVEs: CVE-2024-38271 for the forced Wi-Fi connection and CVE-2024-38272 for the file approval bypass.  Researchers reverse-engineered Quick Share’s file transfer protocol by hooking underlying communication functions, revealing its binary packet structure.  OfflineFrame class The analysis demonstrated that while Quick Share leverages Bluetooth and Wi-Fi, it implements its own application-layer protocol for file transmission, highlighting a potential attack surface for exploitation.  Quick Share’s communication is done by hooking its Read and Write functions within a base class, where all packets are parsed into protobuf-generated OfflineFrame objects.  To capture and inspect these packets, they developed a DLL that intercepted the Read and Write functions, logging packet contents for protocol analysis, by facilitating a deep understanding of Quick Share’s communication protocol, regardless of the underlying transport mechanisms.   DLL It leverages the Nearby Connections API for offline device discovery and communication by employing Protobuf for data serialization and Ukey2 for encryption.

Source: GBHackers