Chaining Logic Flaws to Achieve RCE in Google Quick Share

TLDR: Researchers at Black Hat 2025 demonstrated a sophisticated RCE chain against Google’s Quick Share for Windows by chaining multiple logic vulnerabilities. By forcing a victim to connect to a malicious Wi-Fi hotspot and exploiting file-handling flaws, an attacker can bypass file acceptance prompts and execute arbitrary code. This research highlights the critical need to audit inter-process communication and file-handling logic, rather than focusing solely on memory corruption.

Security researchers often fixate on memory corruption, hunting for buffer overflows or use-after-free vulnerabilities. While those bugs are undeniably critical, they are not the only path to system compromise. The recent research on Google’s Quick Share for Windows serves as a masterclass in how a series of seemingly minor logic flaws can be chained together to achieve full remote code execution.

Quick Share, Google’s answer to Apple’s AirDrop, is designed for seamless file transfers between Android and Windows. Because it handles incoming files and network connections, it presents a massive attack surface. The researchers behind this work didn't look for complex memory corruption; they looked at the protocol’s logic, specifically how it handles file acceptance and network transitions.

The Anatomy of the Chain

The attack begins by forcing a victim to connect to a rogue Wi-Fi access point. Quick Share uses a feature called "Bandwidth Upgrade Negotiation" to improve transfer speeds. When the protocol decides a faster connection is needed, it can force the client to switch to a different network. By controlling this access point, an attacker can perform a man-in-the-middle (MITM) attack, intercepting traffic between the victim and the legitimate service.

Once the MITM position is established, the researchers exploited a flaw in how Quick Share handles file names. By sending a specially crafted file name containing invalid UTF-8 continuation bytes, they triggered a denial-of-service (DoS) condition. This crash was not just a nuisance; it was a tactical necessity. By crashing the service at the right moment, they could manipulate the file-handling state machine.

The most impressive part of the chain is the file acceptance bypass. Normally, Quick Share requires the user to manually click "Accept" before a file is saved to the disk. The researchers discovered that by sending two file transfer packets with the same Payload ID, they could confuse the service. The service would delete one file but leave the other, effectively bypassing the user-approval prompt. This allows an attacker to write arbitrary files directly into the user’s "Downloads" folder.

From File Write to RCE

Writing a file to the "Downloads" folder is a significant finding, but it is not RCE. To turn this into a full compromise, the researchers needed to ensure the victim would execute their malicious payload. They observed that the "Downloads" folder is a shared space where browsers like Chrome also save files.

By monitoring the victim's domain access through their rogue access point, the researchers could identify when a user was downloading a legitimate installer, such as the Visual Studio Code setup file. Because they knew the file name and the approximate size of the legitimate download, they could time their attack perfectly. They used their file-write primitive to overwrite the legitimate installer with a malicious executable of the same name. When the user eventually ran the file, thinking it was the legitimate installer, they were actually running the attacker's payload.

This technique relies on T1204-user-execution and T1566-phishing, but it does so without requiring the user to open a suspicious email attachment. The user is simply performing a routine task, and the environment itself has been compromised.

Defensive Implications

Defending against this type of attack is difficult because it does not rely on a single, easily patched memory bug. It exploits the fundamental design of the protocol. For developers, the lesson is clear: never trust the state of a file transfer process. If a service allows files to be written to a user-accessible directory, it must implement strict validation and ensure that file-handling logic is atomic.

Organizations should also be wary of "convenience" features that automatically switch network connections. These features often bypass standard security controls and create opportunities for MITM attacks. If your environment uses tools that rely on Nearby Connections API, ensure that you are running the latest versions, as Google has already issued patches for these specific vulnerabilities, tracked as CVE-2024-38271, CVE-2024-38272, and CVE-2024-10668.

What This Means for Your Next Engagement

For those of us in the field, this research is a reminder to look beyond the low-hanging fruit. When you are testing an application, don't just run a fuzzer and wait for a crash. Map out the state machine. Ask yourself what happens if you interrupt a process, send duplicate packets, or manipulate the file system while the application is running.

The researchers used WinAFL and DynamoRIO to find the initial crashes, but the real exploit was built on a deep understanding of the protocol's logic. If you are auditing a similar service, focus on the OWASP A01:2021-Broken Access Control and A05:2021-Security Misconfiguration categories. These logic-based vulnerabilities are often the most devastating because they are the hardest to detect and the most difficult to fix. Keep digging into the protocol, and you might find that the most "secure" features are actually the most fragile.