DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-3566: BatBadBut: The Legacy Windows Nightmare That Won't Die

#security #cve #cybersecurity

BatBadBut: The Legacy Windows Nightmare That Won't Die

Vulnerability ID: CVE-2024-3566
CVSS Score: 9.8
Published: 2024-04-10

A critical command injection vulnerability affecting multiple programming language runtimes on Windows. It arises from an impedance mismatch between how runtimes escape arguments for process execution and how the Windows operating system implicitly handles batch files via 'cmd.exe'. This flaw turns standard argument passing into arbitrary remote code execution.

TL;DR

Windows implicitly uses 'cmd.exe' to run batch files even when you don't ask for a shell. Most programming languages didn't account for 'cmd.exe's' bizarre parsing rules, allowing attackers to break out of argument quotes and execute commands. CVSS 9.8.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (Arguments passed remotely)
  • EPSS Score: 0.053 (~5.3%)
  • Exploit Status: PoC Available
  • KEV Listed: No

Affected Systems

  • Node.js on Windows
  • Rust Standard Library on Windows
  • PHP on Windows
  • Haskell Process Library on Windows
  • Applications executing .bat or .cmd files with user input
  • Node.js: < 18.20.2 (Fixed in: 18.20.2)
  • Node.js: < 20.12.2 (Fixed in: 20.12.2)
  • Node.js: < 21.7.2 (Fixed in: 21.7.2)
  • Rust: < 1.77.2 (Fixed in: 1.77.2)
  • PHP: 8.x (Fixed in: 8.3.5)

Exploit Details

  • Flatt Security: Original research blog post detailing the BatBadBut vulnerability.

Mitigation Strategies

  • Explicitly define file extensions (e.g., use .exe) to prevent implicit batch file execution.
  • Sanitize user input to remove shell metacharacters (&, |, <, >, ^, %).
  • Move away from batch files (.bat/.cmd) for processing user input.
  • Use absolute paths to prevent PATH manipulation attacks.

Remediation Steps:

  1. Update Node.js to version 20.12.2, 21.7.2, or 18.20.2.
  2. Update Rust to version 1.77.2 or later.
  3. Update PHP to the latest 8.x versions containing the fix.
  4. Audit code for spawn or Command::new calls that rely on PATH resolution.

References

Read the full report for CVE-2024-3566 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)