Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sunshine's unquoted executable path could lead to hijacked execution flow
Vulnerability Description
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
CVSS Information
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Vulnerability Type
未经引用的搜索路径或元素
Vulnerability Title
Sunshine 安全漏洞
Vulnerability Description
Sunshine是Moonlight 自托管游戏直播主机。 Sunshine 0.17.0版本至0.22.2版本存在安全漏洞,该漏洞源于访问权限管理不当。
CVSS Information
N/A
Vulnerability Type
N/A