Mastodawn

Not Simon Apr 16, 2024

The PHP development team released versions 8.1.28, 8.2.18, and 8.3.6 to mitigate CVE-2024-1874 also known as #BatBadBut. Amazon Linux scored it at CVSSv3: 8.1 high severity. 🔗 https://www.php.net/ChangeLog-8.php

A command injection flaw was found in PHP, exclusive to Windows environments. This flaw allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function in specific conditions. The CreateProcess function implicitly uses cmd.exe when executing batch files, which has complicated parsing rules for arguments that have not fully escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.

#CVE_2024_22423 #CVE_2024_3566 #CVE_2024_24576 #CVE_2024_1874

PHP: PHP 8 ChangeLog

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

Show thread

Not Simon Apr 10, 2024

@mttaggart I think it gained a lot more visibility when Rust put out their security advisory while calling #CVE_2024_24576 critical. Until the #BatBadBut vulnerability disclosure was boosted on Mastodon, I had no idea there was a larger vulnerability that affected other languages. I made a specific toot clarifying that it's a set of vulnerabilities affecting multiple languages.

Security advisory for the standard library (CVE-2024-24576) | Rust Blog

Empowering everyone to build reliable and efficient software.

Taggart

Apr 10, 2024

It's really driving me crazy that #CVE_2024_24576 is being reported as a #RustLang vulnerability only.

Not Simon Apr 10, 2024

#BatBadBut is not just one CVE ID CVE-2024-24576 (10.0 critical) affecting Rust programming language. It's also CVE-2024-1874, CVE-2024-22423 (8.3 high, for yt-dlp), and CVE-2024-3566 (for Haskell, node.js, Rust, PHP, yt-dlp)... so far. @ryotkak, a security engineer at Flatt Security Inc. said

"I decided to call this vulnerability BatBadBut because it’s about batch files and bad, but not the worst."

The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. The root cause of BatBadBut is the overlooked behavior of the CreateProcess function on Windows. When executing batch files with the CreateProcess function, Windows implicitly spawns cmd.exe because Windows can’t execute batch files without it. 🔗 https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ https://kb.cert.org/vuls/id/123335

#CVE_2024_22423 #CVE_2024_3566 #CVE_2024_24576 #CVE_2024_1874

BatBadBut: You can't securely execute commands on Windows

Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so I’m documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

GMO Flatt Security Research