So first up, we have BatBadBut, a pun based on the vulnerability being “about batch files and bad, but not the worst.” It’s a weird interaction between how Windows uses cmd.exe to execute batch files and how argument splitting and character escaping normally works. And what is apparently a documentation flaw in the Windows API.
When starting a process, even on Windows, the new executable is handed a set of arguments to parse. In Linux and friends, that is a pre-split list of arguments, the argv array. On Windows, it’s a single string, left up to the program to handle. The convention is to follow the same behavior as Linux, but the cmd.exe binary is a bit different. It uses the carrot ^ symbol instead of the backslash \ to escape special symbols, among other differences. The Rust devs took a look and decided that there are some cases where a given string just can’t be made safe for cmd.exe, and opted to just throw an error when a string met this criteria.
And that brings us to the big questions. Who’s fault is it, and how bad is it? I think there’s some shared blame here. The Microsoft documentation on CreateProcess() strongly suggests that it won’t execute a batch file without cmd.exe being explicitly called. On the other hand, This is established behavior, and scripting languages on Windows have to play the game by Microsoft’s rules. And the possible problem space is fairly narrow: Calling a batch file with untrusted arguments.
Almost all of the languages with this quirk have either released patches or documentation updates about the issue. There is a notable outlier, as the Java language will not receive a fix, not deeming it a vulnerability. It’s rather ironic, given that Java is probably the most likely language to actually find this problem in the wild.
D-Link E-Waste
A Pair of Vulnerabilities have been announced for D-Link NAS units, that together make for a trivial unauthorized Remote Code Execution (RCE) scenario. The four known-vulnerable models are all from the DNS-300 series, and all of them are well beyond their End of Service dates. These devices are on the Internet, and scanning and exploitation has started in the wild.
Due to the age of the units, D-Link will not be issuing patches for the hardcoded credentials and command injection issues that were found. And that puts these devices strictly in the Do Not Connect category. A terrifying snippet taken from the DNS-327L manual: “The DNS-327L supports UPnP port forwarding which configures port forwarding automatically on your UPnP-enabled router.” No wonder there’s nearly 100k of these devices on the Internet. The official D-Link advice is to retire and replace.
And Your TV, Too!
Multiple versions of the WebOS TV firmware have a series of problems accessible over the local network. CVE-2023-6317 is a fun one, where an account with no privileges can be silently created, and then the key generated upon account creation can be immediately re-used to create another account, with full permissions.
And then there’s a trio of vulnerabilities that allow for command execution. The good news is that it’s only accessible from the local network, and that TVs aren’t known for UPNP shenanigans quite like NASs are. And the real silver lining, if you have one of the vulnerable TVs? There’s a WebOS Homebrew scene!
Mostly Luck — And Curiosity
[Fang-Pen Lin] was working on a project using ZeroMQ, a universal message library. This led to excitement about CurveZMQ, which among other things, allows embedding arbitrary data into the metadata field of an authenticated message. And then curiosity forced the question, how much data can we put in there? To find the answer required a dive into the ZeroMQ source. And sure enough, there it was, a fixed-size static buffer, neatly defining how much data goes in the metadata field. But what would happen if we add a bit more data then we’re supposed to? Kaboom. The buffer overflows, the program crashes, and that’s how [Lin] discovered a critical security bug in ZeroMQ.
Now, this is more than just luck. It’s a combination of knowing enough to recognize the issue, and having the curiosity to look in just the right spot. The issue was rapidly fixed, and that was that, way back in 2019. Why are we talking about it now? Because that combination of skill, curiosity, and luck is how the XZ backdoor was discovered. And how pretty much every vulnerability or bug gets found and fixed. Follow the link for the rest of [Jin]’s thoughts on the matter.
Libfreeimage
The Libfreeimage library has a pair of buffer overflows, triggered by parsing malicious XPM images. In this case, it’s the color names in those files, which are copied into a fixed size buffer, and can be easily overflowed. And to make it worse, this can trigger an error message, which can lead to yet another overflow. It’s likely these issues could be used to achieve arbitrary code execution. This one could be quite a sneaky problem, as libfreeimage has been around for a long time, with the first release coming in January of 2000, and the XPM loader getting added in 2003. That’s a long time for a library to get built into other projects and binaries.
Bits and Bytes
Using the appropriate username of [1337_wannabe], a contributor to the Wordfence Bug Bounty Extravaganza earned a cool $5500 for a pre-auth SQL injection in the LayerSlider WordPress plugin. The was reported on March 25th, and a fix was pushed on the 27th, in an impressive show. Turns out you are pretty leet, [1337_wannabe].
On the other hand, when there’s no CVE, companies don’t get in much of a hurry to push updates. The Lighttpd lightweight web server pushed fixes for use-after-free bugs way back in 2018, but didn’t bother to get CVE numbers assigned, or make a big announcement of the vulnerabilities. This is typical for internally discovered issues like this. The problem here is that lighttpd gets bundled into other software, like Baseboard Management Controllers. And so for five years, Supermicro, Lenovo, and others have been shipping vulnerable BMC implementations, because nobody bothered to grab the latest version. On the plus side, these issues don’t lead directly to code execution, but they do result in data disclosure. The morals of this one? Update your code! And don’t put your BMC on the Internet!
And finally, in the funny-yet-problem category, the Twitter to X rebranding process hit a snag, when all domains ending in “twitter.com” were visually re-written as ending in “x.com”. AKA, a tweet with a link to netflitwitter.com would appear in the tweet as netflix.com, but still actually point to the bogus domain when clicked. Hilarious, and a real test-the-code-in-production sort of moment that I can really relate to. But it’s a problem particularly for the other brands that happen to end with an X, like Netflix and others, as this was prime phishing and spoofing risk while it was still a problem.
Find 99% of stupid exploits from C code:
Find usage of strcat,strcpy or sprintf.
Done. Shouldn’t be that difficult to find and fix.
Usage of non-“n” C std buffer function should be punishable by law.
“… to find and fitwitter.” FTFY ;-)
Several years ago I was trying to write a script that could escape arbitrarily nested commands at the windows command line. I ran into the issues the Rust community found. Microsoft’s document is flat out wrong on these points, and the way cmd.exe escapes things is incredibly broken and nonsensical. I lost over a month trying to get it working consistently and I arrived at a similar conclusion that there is simply no way to escape arbitrary strings for cmd.exe, the best you can do is try to detect these cases. At least, as ugly as it is, Powershell has a reasonable escape syntax. Also normal command-line parsing is Windows is sensible enough.
Well power-shell is now the go-to for a lot of windows things.
This wouldn’t have been a problem if cmd.exe also used the stick | symbol to escape special symbols.
Everyone knows you need both carrot and stick if you want results.
I’ll see your carrot and I raise my stick.
I will gladly give you a carrot on Tuesday for a carret symbol today ^
one r : https://en.wikipedia.org/wiki/Caret
Is ^ a carrot? Don’t carrots usually point down?
Ehhh, what’s up Doc?
*caret https://en.wikipedia.org/wiki/Caret
The D-Link vulnerability stems from hardcoded credentials in the firmware, something that has long been a no-no. It speaks volumes about D-Link that not only do they continue that practice, but when they’re caught, they refuse to issue a fix. Those devices have always been insecure, even when they were marketed as otherwise.
In other words: Stop buying D-Link products, because this same situation happens repeatedly with them, and their refusal to support the products they’ve sold is well-known by this point in time.
In the “Mostly Luck — And Curiosity” section, the last sentence of the second paragraph has a reference to “Jin” that I think should be “Lin”.
^ = carrot
@ = turnip
~ = runner bean
/|\ = sticks (to support bean plant)
, = slug (watch out for these in your veg patch)
now some fruits
( = banana
* = gooseberry
% = cherries
{ = bird (trying to eat your fruit)
# = netting (keeps off { { )
&=snail
O=tomato
o=cherry tomato
Õ=orange
ȹ=sprout
ɷ=kidney bean
$$$=how much growing your own produce costs
: = a rabbit has been in your veg patch
Come on, this cmd.exe security issue is not an issue at all. The issue is passing unsanitized user input to CreateProcess. And that’s a problem for the application sending user input straight to cmd.exe, not Rust or whatever.
You send user input to a bat file without filtering and whitelisting, you are giving the user a loaded shotgun and your foot. And the user hates you…
I agree on the sanitizing part, but I can readily imagine scenarios where strings containing ” or ^ need to be accepted.
I would argue that the real footgun is the CreateProcess API which expects the destination executable to split & unescape the command line arguments. One can hope that the executable uses CommandLineToArgv or some equivalent, but cmd.exe is a prime example of this not being the case.
I don’t often quote Wikipedia, but:
>> Not to be confused with Carrot or Carat.
>> Caret is the name used familiarly for the character ^ (the circumflex and a circumflex accent) provided on most QWERTY keyboards by typing ⇧ Shift+6.
Half-baked fill-in-the-blank-domain implementations causing arbitrary URL misdirection, seems to be a running theme this month. Toontown Corporate Clash just discovered a *fun* little misconfiguration-by-design in the Datadog API that was sending site usage statistics (fortunately nothing else) to an unintended URL, which then got yoinked by a domain parker that “it’s free real estate”‘d the NXDOMAINs that Datadog was barking into the digital sea.
https://corporateclash.net/news/article/153
https://sheriffcranky.substack.com/p/datadog-has-a-security-footgun
The WebOS thing is interesting to me because all my Win10 machines have a smart TV showing even though I own no such thing. Must be a neighbor. Doing a quick google shows that the LG tvs have WiFi Direct and no way to shut it off on some models. Ugh, I hate this “smart” junk. If I wanted my TV to be slower than a budget phone from 3 years ago I would have attached a 3 year old budget phone to it.
Meanwhile how do I make the WebOS TV stay off my network?
“Meanwhile how do I make the WebOS TV stay off my network?”
Burn it with fire!
B^)
Cut the trace to the PCB antenna?
A large, permanently installed appliance has no business being on Wifi anyway.