The PHP development team released versions 8.1.28, 8.2.18, and 8.3.6 to mitigate CVE-2024-1874 also known as #BatBadBut. Amazon Linux scored it at CVSSv3: 8.1 high severity. π https://www.php.net/ChangeLog-8.php
A command injection flaw was found in PHP, exclusive to Windows environments. This flaw allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function in specific conditions. The CreateProcess function implicitly uses cmd.exe when executing batch files, which has complicated parsing rules for arguments that have not fully escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.
#CVE_2024_22423 #CVE_2024_3566 #CVE_2024_24576 #CVE_2024_1874
Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks
#BatBadBut is not just one CVE ID CVE-2024-24576 (10.0 critical) affecting Rust programming language. It's also CVE-2024-1874, CVE-2024-22423 (8.3 high, for yt-dlp), and CVE-2024-3566 (for Haskell, node.js, Rust, PHP, yt-dlp)... so far. @ryotkak, a security engineer at Flatt Security Inc. said
"I decided to call this vulnerability BatBadBut because itβs about batch files and bad, but not the worst."
The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. The root cause of BatBadBut is the overlooked behavior of the CreateProcess function on Windows. When executing batch files with the CreateProcess function, Windows implicitly spawns cmd.exe because Windows canβt execute batch files without it. π https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ https://kb.cert.org/vuls/id/123335
#CVE_2024_22423 #CVE_2024_3566 #CVE_2024_24576 #CVE_2024_1874
Introduction Hello, Iβm RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so Iβm documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
A critical vulnerability, named BatBadBut, was discovered in the Rust programming language, affecting not just Rust but also Erlang, Go, Python, Ruby, and potentially others. This vulnerability, with a severity score of 10/10, could allow attackers to execute arbitrary commands on Windows systems by exploiting how Rust handles batch files. The issue arises from Rust's standard library improperly escaping arguments when invoking batch files on Windows, leading to potential command injection. The vulnerability has been addressed with a fix in Rust version 1.77.2, which developers are urged to update to. Other programming languages and systems, including Node.js, PHP, and Java, are also affected and are working on patches.
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
#cybersecurity #rust #batbadbut #vulnerability #erlang #go #python #ruby #nodejs #php #java #windows #commandinjection #RyotaK #Grub4K #flattsecurity
Introduction Hello, Iβm RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so Iβm documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Introduction Hello, Iβm RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so Iβm documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Not Simon
securityaffairs
mx alex tax1a - 2020 (6)
AndreasChris
Erik C. Thauvin
83r71n
JRT