Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.
What’s the Issue?
Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.
BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.
Why it Occurs?
The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file.
For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.
“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.
Impacted Applications
Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.
Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.
Mitigation Strategies:
Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.