The Windows applications they often use a system function called CreateProcess which allows you to start a new process. Essentially, it allows one program to load another application as a separate process. The function CreateProcess() it is often used in programs to run other applications or commands. A researcher, engineer specializing in security issues at Flatt Securitysays we can’t run Windows commands securely.
The expert specifies that he has reported some vulnerability in several programming languages: allow an attacker to performcommand injection on Windows when specific conditions exist.
Execute Windows commands: this cannot be done safely
The overall baptized vulnerabilities BatBadBut they give an attacker the opportunity to inject commands into all those Windows applications that indirectly depend on the function CreateProcess(), in specific cases. This function starts implicitly cmd.exe when running batch files (.bat, .cmdand so on…), even if the program does not use them at the command line level.
The problem arises from the fact that cmd.exe has complicated rules for analyzing the command arguments and programming language runtimes often fail to handle the so-called escape adequately.
L’escape arguments refers to the procedure of making the arguments of a command safe so that they can be interpreted correctly, for example by cmd.exe on Windows. Microsoft operating systems use the command line specific rules for the interpretation of the arguments. These rules include the management of special characters, to prevent them from provoking side effects or potentially harmful.
The technical details of the BatBadBut vulnerability
The BatBadBut vulnerability exploits the way Windows operating systems handle batch file execution via the function CreateProcess(). A system component such as cmd.exe has rules of parsing command arguments that differ from those of other interpreters.
For example, use the `^` symbol as escape character instead of the backslash (`\`): this means that the handling of argument escapes must be done specifically for cmd.exe.
Some programming languages they do not escape arguments properly when using batch files. This can lead to situations where special characters or malicious commands, passed as arguments, can be misinterpreted and then subsequently executed.
An attacker could exploit the vulnerability to execute malicious or unauthorized commands on the system if they were able to control the arguments passed to batch files.
Per mitigate vulnerabilityyou need to ensure that arguments passed to batch files are properly submitted escape and that the specific rules of parsing Of cmd.exe are carefully respected.
Programming languages affected by the vulnerability
Programming languages identified as vulnerable or potentially vulnerable to BatBadBut include the following:
- Python, Ruby, Go ed Erlang: updated documentation, with information to address the security issue.
- Rust e Haskell: patch already available.
- Java: There is no fix planned for this vulnerability.
- Node.js e PHP: A fix patch will be released to address the vulnerability.
It is important to note that in the case of some languages it was considered appropriate to handle this through a simple documentation updatewhile in other situations we are working on patches to correct the vulnerability.
Where does the name BatBadBut come from?
The name BatBadButchosen to refer to the security gap being discussed, derives from the combination of two elements:
- Bat: Refers to batch files, which are typically scripts that can be used on Windows operating systems. These files are known for automating processes and executing a series of commands in sequence.
- BadBut: It’s a sort of play on words that comes from the words “bad” (bad) and “but” (but). This is an indication that the vulnerability in question is linked to the “bad” or unwanted behavior of batch files. It may not be the most dangerous security flaw of all but it must be known and properly managed.
Opening image credit: iStock.com – Jacob Wackerhausen