CVE-2024-31226
📋 TL;DR
This vulnerability in Sunshine game streaming software allows path interception attacks when terminating the service on Windows. Attackers can place malicious executables named 'Program.exe', 'Program.bat', or 'Program.cmd' in the C:\ root directory to execute arbitrary code. Only users running affected versions as a Windows service with manually loosened ACLs on the system drive are impacted.
💻 Affected Systems
- Sunshine
📦 What is this software?
Sunshine by Lizardbyte
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution with the privileges of the Sunshine service account, potentially leading to full system compromise if the service runs with elevated privileges.
Likely Case
Limited impact due to requirement for manually loosened ACLs; most likely scenario is failed exploitation attempts or no impact on properly configured systems.
If Mitigated
No impact when proper file system permissions are enforced and executables cannot be written to C:\ root directory.
🎯 Exploit Status
Requires local file placement and specific ACL misconfigurations. Attack vector depends on user manually loosening system drive permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.23.0
Vendor Advisory: https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp
Restart Required: Yes
Instructions:
1. Download Sunshine version 0.23.0 or later from official repository. 2. Stop the Sunshine service. 3. Install the updated version. 4. Restart the Sunshine service.
🔧 Temporary Workarounds
Application Control Enforcement
windowsUse Windows application control tools to block execution of unauthorized executables from C:\ root directory.
File System Permission Hardening
windowsSet proper ACLs to deny write access to C:\ root directory for non-administrative users.
icacls C:\ /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Enforce strict file system permissions to prevent writing executables to C:\ root directory.
- Monitor for creation of suspicious files named 'Program.exe', 'Program.bat', or 'Program.cmd' in C:\ directory.
🔍 How to Verify
Check if Vulnerable:
Check Sunshine version: if running 0.17.0 through 0.22.2 on Windows as a service, and verify if ACLs on C:\ drive have been manually loosened.Check Version:
sunshine --versionVerify Fix Applied:
Confirm Sunshine version is 0.23.0 or later using the version check command, and verify service is running properly.📡 Detection & Monitoring
Log Indicators:
- Failed service termination events in Windows Event Logs
- Creation of suspicious files (Program.exe, Program.bat, Program.cmd) in C:\ directory
Network Indicators:
- Unusual outbound connections from Sunshine service process
SIEM Query:
EventID=7036 AND ServiceName="Sunshine" OR FileCreation Path="C:\\Program.*"🔗 References
- https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a
- https://github.com/LizardByte/Sunshine/pull/2379
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp
- https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a
- https://github.com/LizardByte/Sunshine/pull/2379
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp
