Multiple Vulnerabilities Found in Apple AirDrop and Android Quick Share

Multiple Vulnerabilities Found in Apple AirDrop and Android Quick Share

Researchers have discovered six vulnerabilities across Apple's AirDrop and Android's Quick Share file sharing protocols, some of which are zero-clicks.

AirDrop is a proprietary protocol that allows Apple devices to send files to each other over a local ad hoc wireless connection, avoiding the need to send files to a server first which can slow down the transfer process and requires internet access.

Quick Share is Android's answer to AirDrop, allowing the same functionality and even supporting cross-platform transfers with Apple devices on certain models of Google Pixels.

The first zero-click in AirDrop is a Denial of Service (DoS) attack stemming from a fatalError when an enum value doesn't match a specific value. This means any request with an unrecognized URI and a non-empty body will trigger it.

An attacker can continually send these and repeatedly crash AirDrop without any interaction on your end.

"One short request takes down AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera at once," said Help Net Security describing the attack.

The second zero-day in AirDrop is a stack overflow due to nested <dict> elements in an XML document. After around 200 nested <dict> elements, it attempts to write to an unmapped part of memory, raising a memory write fault that crashes the process, although "no useful register or memory write primitive is exposed."

The third vulnerability happens when a specially crafted HTTP request causes a null pointer dereference, causing yet another crash. This one could affect any part of the system that processes HTTP requests although the researchers state it may be more difficult outside of AirDrop and related services.

The researchers also analyzed Samsung's Quick Share implementation and found two fairly serious vulnerabilities.

The first is a pre-authentication bypass that lets attackers establish a connection with the phone and allowing it to process content without any authentication or establishing an encrypted session.

When combined with the previous vulnerability, the next one allows an attacker to bypass the encryption and "inject unencrypted control frames into an active Quick Share session."

Finally, the Windows Quick Share client suffers a critical memory corruption bug when two connections with the same endpoint identifiers and nonce values arrive at once. Ironically, the developers acknowledged the bug in a comment in the code but their fix implemented the same memory corruption bug again.

The researchers reported all vulnerabilities to the respective companies. Apple acknowledged them and is reportedly working on a fix. Samsung determined the bugs were in Google's code and so transferred the responsibility to Google to fix. Google acknowledged all of the Quick Share bugs and awarded the researchers a bug bounty, but no fixes are out yet.

Community Discussion