BatBadBut Flaw: A Threat to Multiple Programming Languages on Windows

April 13, 2024

Cybersecurity researcher RyotaK unveiled a critical vulnerability, named BatBadBut, affecting various programming languages. The flaw, when specific conditions are met, enables an attacker to execute command injection on Windows applications.

RyotaK detailed, “The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.” He further explained that the CreateProcess function inadvertently triggers cmd.exe when running batch files (.bat, .cmd, etc.), even if they are not specified in the command line.

The issue arises from Windows' default inclusion of .bat and .cmd files in the PATHEXT environment variable. As a result, some runtimes unintentionally execute batch files instead of the intended commands, leading to arbitrary command executions. This can occur even if a snippet doesn't explicitly include .bat or .cmd files.

RyotaK elaborated on the problem, stating that the operating system executes batch files with 'cmd exe', which has complex parsing rules for command arguments. He pointed out that programming language runtimes often fail to escape the command arguments correctly. Most programming languages interface with the 'CreateProcess' function but do not properly escape the command arguments passed to the function.

To exploit the BatBadBut flaw, certain conditions must be met. RyotaK has informed the maintainers of the affected programming languages about the vulnerability, and they have started taking measures to mitigate it.

The CERT/CC from Carnegie Mellon University has issued an advisory regarding this flaw. This issue has been assigned four different CVE identifiers: CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566. The advisory states, “Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment.”

It further warns that the command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability could also impact the application that executes commands without specifying the file extension.

Latest News

• CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog
• Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls
• State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day Since March to Infiltrate Firewalls
• Palo Alto Networks Alert: Active Exploitation of Zero-Day Vulnerability in PAN-OS Firewall
• CISA Adds D-Link NAS Devices Bugs to Known Exploited Vulnerabilities Catalog