Not Simon
#BatBadBut is not just one CVE ID CVE-2024-24576 (10.0 critical) affecting Rust programming language. It's also CVE-2024-1874, CVE-2024-22423 (8.3 high, for yt-dlp), and CVE-2024-3566 (for Haskell, node.js, Rust, PHP, yt-dlp)... so far. @ryotkak, a security engineer at Flatt Security Inc. said
"I decided to call this vulnerability BatBadBut because itβs about batch files and bad, but not the worst."
The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. The root cause of BatBadBut is the overlooked behavior of the CreateProcess function on Windows. When executing batch files with the CreateProcess function, Windows implicitly spawns cmd.exe because Windows canβt execute batch files without it. π https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ https://kb.cert.org/vuls/id/123335
#CVE_2024_22423 #CVE_2024_3566 #CVE_2024_24576 #CVE_2024_1874
BatBadBut: You can't securely execute commands on Windows
Introduction Hello, Iβm RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so Iβm documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.