A critical vulnerability named ‘BatBadBut’ has been uncovered by security researchers at Flatt Security, affecting multiple programming languages and posing a serious threat to Windows applications. The vulnerability stems from the way the Windows operating system handles the execution of batch files (.bat and .cmd) using the ‘cmd exe’ process.
When executing batch files, the Windows OS relies on the ‘CreateProcess’ function, which spawns the ‘cmd exe’ process. However, many programming languages fail to properly escape command arguments passed to this function, leaving them vulnerable to command injection attacks.
According to Flatt Security researcher RyotaK, the complexity of parsing rules for command arguments in ‘cmd exe’ complicates the issue, as programming language runtimes often fail to adequately escape these arguments. This allows attackers to potentially inject malicious commands into Windows applications by controlling the command arguments section of batch files.
Several conditions must be met for successful exploitation, including the application executing a command on Windows, not specifying the command file extension, and the attacker controlling the command arguments. Additionally, affected programming language runtimes must fail to escape the command arguments properly.
While most applications are not affected by this vulnerability, several programming languages have been impacted. The CERT Coordination Center (CERT/CC) has issued four CVE identifiers for the security defect, including CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566. However, most programming languages are affected by only one or two of these CVEs.
Affected programming languages include Haskell, Rust, Node.js, PHP, and yt-dlp. Some languages have already released patches to address the vulnerability, while others are in the process of doing so.
Developers and system administrators are advised to apply patches promptly and implement appropriate measures to prevent potential command injection attacks.
