CVE-2023-42800: 
Homebrew vulnerability analysis and mitigation

CVE-2023-42800 affects Moonlight-common-c, which contains the core GameStream client code shared between Moonlight clients. The vulnerability was introduced in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 and was patched in commit 24750d4b748fefa03d09fcfd6d45056faca354e0. The issue stems from unmitigated usage of unsafe C functions and improper bounds checking (GitHub Advisory).

The vulnerability is a buffer overflow in the performRtspHandshake() function in RtspConnection.c. The issue occurs when the RTSP URL received from the game stream server is copied into a static buffer rtspTargetUrl of size 256 using an unsafe strcpy() function. Since the server-provided serverInfo->rtspSessionUrl contents can be of arbitrary length, it can overflow urlAddr into the surrounding memory. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

A malicious game streaming server could exploit this buffer overflow vulnerability to crash a moonlight client or achieve remote code execution (RCE) on the client if exploit mitigations are insufficient or can be bypassed. The vulnerability requires the user to be tricked into pairing with a malicious host and cannot be performed using a MITM attack due to public key pinning during the pairing process (GitHub Advisory).

The vulnerability was patched in commit 24750d4b748fefa03d09fcfd6d45056faca354e0 by replacing the unsafe strcpy() with PltSafeStrcpy() and adding proper bounds checking. Users should upgrade to versions containing this fix (GitHub Advisory).