Impact

Users who ran Sunshine as a service on Windows may be impacted when terminating the service if an attacker placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive.

The lpCommandLine parameter passed to CreateProcessAsUser() was initialized using the path returned from GetModuleFileName() which is not enclosed in quotes. As a result, the Microsoft documented executable search logic is used to locate the desired executable, which tries C:\Program.exe, C:\Program.bat, or C:\Program.cmd before the expected C:\Program Files\Sunshine\tools\sunshinesvc.exe file.

If the user's system locale is not English, then the name of the executable will likely vary. The executable name is based on the Program Files directory name.

Patches

v0.23.0

Workarounds

• Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
• Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:. Require that all executables be placed in write-protected directories.

References

• https://attack.mitre.org/techniques/T1574/009/
• #2379