Erik C. ThauvinCritical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks
aoanla@ethauvin not a Rust vulnerability specifically, but one affecting many languages (Haskell, Python, Java, etc). And some of them aren't even intending to patch - people only heard about the Rust aspect because Rust *is* patching and taking it seriously.
@aoanla thanks for clarifying. I was wondering about that. I assume it doesn't only affect Windows either?
@ethauvin no, it's specifically a problem with how Windows handles command line arguments (via cmd.exe) in batch scripts. cmd.exe has weird parsing rules for arguments (and will ignore some attempts to escape) to programs, unlike the alternative Windows methods for handling arguments (which do the usual and correct thing every other shell does), but it's impossible to avoid cmd.exe being used to execute a program on Windows, so you need to be super paranoid to sanitize the resulting input.
@aoanla makes sense. Thx.
@ethauvin more details from the person who reported the bug (with list of affected languages at the bottom) https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/#appendix-b-status-of-the-affected-programming-languages
BatBadBut: You can't securely execute commands on Windows
Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities , so I’m documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score. TL;DR The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.