Posts Tagged ‘SafeBreach’
[DefCon32] QuickShell: Sharing Is Caring About RCE Attack Chain on QuickShare
In the interconnected world of file sharing, Google’s QuickShare, bridging Android and Windows, presents a deceptively inviting attack surface. Or Yair and Shmuel Cohen, researchers at SafeBreach, uncover ten vulnerabilities, culminating in QuickShell, a remote code execution (RCE) chain exploiting five flaws. Their journey, sparked by QuickShare’s Windows expansion, reveals logical weaknesses that enable file writes, traffic redirection, and system crashes, culminating in a sophisticated RCE.
Or, a vulnerability research lead, and Shmuel, formerly of Check Point, dissect QuickShare’s Protobuf-based protocol. Initial fuzzing yields crashes but no exploits, prompting a shift to logical vulnerabilities. Their findings, responsibly disclosed to Google, lead to patches and two CVEs, addressing persistent Wi-Fi connections and file approval bypasses.
QuickShare’s design, facilitating seamless device communication, lacks robust validation, allowing attackers to manipulate file transfers and network connections. The RCE chain combines these flaws, achieving unauthorized code execution on Windows systems.
Protocol Analysis and Fuzzing
Or and Shmuel begin with QuickShare’s protocol, using hooks to decode Protobuf messages. Their custom fuzzer targets the Windows app, identifying crashes but lacking exploitable memory corruptions. This pivot to logical flaws uncovers issues like unauthenticated file writes and path traversals, exposing user directories.
Tools built for device communication enable precise vulnerability discovery, revealing weaknesses in QuickShare’s trust model.
Vulnerability Discoveries
The researchers identify ten issues: file write bypasses, denial-of-service (DoS) crashes, and Wi-Fi redirection via crafted access points. Notable vulnerabilities include forcing file approvals without user consent and redirecting traffic to malicious networks.
A novel HTTPS MITM technique amplifies the attack, intercepting communications to escalate privileges. These flaws, present in both Android and Windows, highlight systemic design oversights.
Crafting the RCE Chain
QuickShell chains five vulnerabilities: a DoS to destabilize QuickShare, a file write to plant malicious payloads, a path traversal to target system directories, a Wi-Fi redirection to control connectivity, and a final exploit triggering RCE. This unconventional chain leverages seemingly minor bugs, transforming them into a potent attack.
Demonstrations show persistent connections and code execution, underscoring the chain’s real-world impact.
Takeaways for Developers and Defenders
Or and Shmuel emphasize that minor bugs, often dismissed, can cascade into severe threats. The DoS flaw, critical to their chain, exemplifies how non-security issues enable attacks. They advocate holistic security assessments, beyond memory corruptions, to evaluate logical behaviors.
Google’s responsive fixes, completed by January 2025, validate the research’s impact. The team’s open-source tools invite further exploration, urging developers to prioritize robust validation in file-sharing systems.
Links:
[DefCon32] Windows Downdate: Downgrade Attacks Using Windows Updates
The notion of a “fully patched” system crumbles under the weight of downgrade attacks, as revealed by Alon Leviev, a self-taught security researcher at SafeBreach. His exploration of Windows Updates uncovers a flaw allowing attackers to revert critical components—DLLs, drivers, kernels, and virtualization stacks—to vulnerable versions, bypassing verification and exposing privilege escalations. Alon’s tool, Windows Downdate, renders the term “updated” obsolete, compromising systems worldwide.
Alon, a former Brazilian Jiu-Jitsu champion, leverages his expertise in OS internals and reverse engineering to dissect Windows Update mechanisms. Inspired by the BlackLotus UEFI bootkit, which bypassed Secure Boot via downgrades, he investigates whether similar vulnerabilities plague other components. His findings reveal a systemic design flaw, enabling unprivileged attackers to manipulate updates and disable protections like Virtualization-Based Security (VBS).
The implications are profound: downgraded systems report as fully updated, evade recovery tools, and block future patches, leaving them exposed to thousands of known vulnerabilities.
BlackLotus and the Downgrade Threat
Alon traces the research to BlackLotus, which exploited a patched Secure Boot flaw by reverting components. Secure Boot verifies boot chain signatures, but BlackLotus’s downgrade bypassed this, prompting Alon to probe Windows Updates for similar weaknesses.
He discovers that update packages, lacking robust validation, allow crafted downgrades. By manipulating update manifests, attackers revert critical files, exploiting old vulnerabilities without triggering alerts.
Compromising the Virtualization Stack
Targeting Hyper-V, Secure Kernel, and Credential Guard, Alon achieves downgrades that expose privilege escalations. VBS, designed to isolate sensitive operations, relies on UEFI locks, yet his methods disable these protections, a first in known research.
The attack exploits design flaws allowing less privileged rings to update higher ones, a remnant since VBS’s 2015 debut. Demonstrations show downgraded hypervisors, undermining Windows’ security architecture.
Restoration Vulnerabilities
A secondary flaw in update restoration scenarios amplifies the threat. Unprivileged users can trigger rollbacks, embedding malicious updates that persist across reboots. Recovery tools fail to detect these, as the system registers as compliant.
Alon’s Windows Downdate tool automates this, crafting updates that downgrade entire systems, from drivers to kernels, without administrative rights.
Industry Implications and Mitigations
The research exposes a gap in downgrade attack awareness. Alon urges thorough design reviews, emphasizing that unexamined surfaces, like update mechanisms, harbor risks. Linux and macOS may face similar threats, necessitating preemptive scrutiny.
Mitigations include enhanced validation, privilege restrictions, and monitoring for anomalous updates. His findings, shared responsibly with Microsoft, highlight the need for systemic changes to restore trust in patching.