‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

The issue, named ‘BatBadBut’, exists because the Windows operating system spawns the ‘cmd exe’ process when executing batch (bat) files with the ‘CreateProcess’ function, and programming languages do not properly escape command arguments.

Most programming languages wrap the ‘CreateProcess’ function to offer a more user-friendly interface but fail to properly escape the command arguments passed to the function.

The OS cannot execute batch files without ‘cmd exe’, which “has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly,” Flatt Security researcher RyotaK explains.

Because of this issue, an attacker who can control the command arguments section of the batch file can potentially inject commands into Windows applications.

‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

INDIA | Chennai

INDIA | Kochi

INDIA | Thane

UK | London

USA | New York

KUWAIT

SRI LANKA

Address

‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

12-May-24

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

INDIA | Chennai

INDIA | Kochi

INDIA | Thane

UK | London

USA | New York

KUWAIT

SRI LANKA

Address