Skip to content

Unquoted executable path could lead to hijacked execution flow

Moderate
ReenigneArcher published GHSA-r3rw-mx4q-7vfp May 16, 2024

Package

sunshine

Affected versions

>= 0.17.0, < 0.23.0

Patched versions

v0.23.0

Description

Impact

Users who ran Sunshine as a service on Windows may be impacted when terminating the service if an attacker placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive.

The lpCommandLine parameter passed to CreateProcessAsUser() was initialized using the path returned from GetModuleFileName() which is not enclosed in quotes. As a result, the Microsoft documented executable search logic is used to locate the desired executable, which tries C:\Program.exe, C:\Program.bat, or C:\Program.cmd before the expected C:\Program Files\Sunshine\tools\sunshinesvc.exe file.

If the user's system locale is not English, then the name of the executable will likely vary. The executable name is based on the Program Files directory name.

Patches

v0.23.0

Workarounds

  • Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
  • Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:. Require that all executables be placed in write-protected directories.

References

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

CVE ID

CVE-2024-31226

Weaknesses

Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. Learn more on MITRE.

Credits