Multiple programming languages are impacted by a critical-severity vulnerability leading to command injection in Windows applications, bug hunters at Flatt Security warn.
The issue, named ‘BatBadBut’, exists because the Windows operating system spawns the ‘cmd exe’ process when executing batch (bat) files with the ‘CreateProcess’ function, and programming languages do not properly escape command arguments.
Most programming languages wrap the ‘CreateProcess’ function to offer a more user-friendly interface but fail to properly escape the command arguments passed to the function.
The OS cannot execute batch files without ‘cmd exe’, which “has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly,” Flatt Security researcher RyotaK explains.
Because of this issue, an attacker who can control the command arguments section of the batch file can potentially inject commands into Windows applications.
For that, however, the application needs to execute a command on Windows, it should not specify the command file extension, the attacker needs to control the command arguments, and the programming language’s runtime needs to fail to escape the command arguments for ‘cmd exe’.
“Since Windows includes .bat and .cmd files in the PATHEXT environment variable by default, some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” RyotaK says.
Most applications, the researcher notes, are not affected by this vulnerability and several mitigations are available. Furthermore, some of the programming languages that were notified of the bug have taken steps to address it, such as adding another escaping mechanism for batch files.
According to an advisory from the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, four different CVE identifiers have been issued for the security defect, namely CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566, but programming languages are impacted by one or two of them at most.
“If the runtime of your application doesn’t provide a patch for this vulnerability and you want to execute batch files with user-controlled arguments, you will need to perform the escaping and neutralization of the data to prevent any intended command execution,” CERT/CC notes.
To date, the Haskell process library, Rust, Node.js, PHP, and yt-dlp are known to be affected. Haskell, Rust, and yt-dlp have announced patches.
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
Related: Ray AI Framework Vulnerability Exploited to Hack Hundreds of Clusters
Related: Most Linux Systems Exposed to Complete Compromise via Shim Vulnerability