CVE-2024-31226 MEDIUM

CVE-2024-31226: Sunshine's unquoted executable path could lead to hijacked execution flow

Vendor Lizardbyte
Product Sunshine
Weakness CWE-428
Published May 16, 2024
Last update August 15, 2024

CVSS base score

4.9/10
Attack vector Physical
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

Key dates

02Disclosure timeline

May 16, 2024 CVE published
August 15, 2024 Record updated