Windows Has a Critical Command Injection Bug
Вставка
- Опубліковано 12 кві 2024
- In this video I demonstrate the 'BatBadBut' Bug that allows command injection on Windows machines in different programming languages. Don't let people send user input to random batch scripts.
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - Наука та технологія
Name a more iconic duo than Windows and backdoors for federal agencies (you can't)
North Korea and red star os
XZ utils and backdoors?
how is this a backdoor? how would it work remotely? what programs allow a remote user to add an arbitrary string of arguments to a windows batch file or linux shell file?
@@eldrago19 That was fixed as soon as it was discovered.
The youtuber Low Level Learning has a video on this, where he demonstrates how it can also happen on linux.
It's hardly even a bug. In order for it to be executed, the attacker has to have the ability to input strings from the stdin. If they can do that, then they've already probably already got the ability to run commands anyway.
>Windows Has a Critical Command Injection Bug
Yeah, it's called windows
Windows = Open Front Doors
@@k-c Just a clickbait. Vulnerability is in Rust, not Windows.
@@mapron1 Windows design is weird and this is why this vulnerability exists in the first place.
@@mapron1 vulnerability IS IN windows, not rust. That's why Java said won't fix, Glownie.
Windows has a problem where it leaves the front door and the back door wide open for all to see with no plans to fix it 😂
Next week: 10/10 critical bug: the coffee maker is broken!
what's broken? It always returns 418!
@@RainbowPigeon15 that's broken, only teapots should return 418
Palo alto introduce itself.
If this bug was called 'clown makeup', then the headline would be "Clown wears clown makeup"
I love how log4j is now most commonly used as a reference to CVE, not library itself 😅
imagine how the authors feel about it 😅
Which is ironic, since log4j, is a logging libraries, used to debug programs, got hit with one of the biggest vulnerabilities lol
@no_name4796 by a minecraft 2b2t hack client developer, lmao
@@Mempler damn. didn't know about that lol
it pretty much set the standard for most log libraries since, you probably use their idioms and threat levels pretty much verbatim if you do logging in any half-way standard fashion
fun part about this is how we've known variables enclosed in % are vulnerable to injection for decades at this point (along with %num or %*)
people never learn i suppose
It's so obvious that it's forgotten
@@the_Datana Tradition is a solution to a problem after the problem is forgotten now be sure not to forget the problem either
Yeshi!
@@icaruslives4748 small world ey
@@ShivterShivtik25 i've summoned half the batch community with a comment
"Java: Won't fix"
Yeah! I think the java stance is the correct stance.
The Java runtime is open source and easy to fork tho.
Even if they did, the vulnerable machines are probably running Java 8 and never going to update
@@geeshtaAh yes, organizational stagnation.
“If it aint broke, don’t fix it!”
“Uhm, well actually, it is kind of broken-“
“ **If it aint broke don’t fix it** ”
Java: our enterprise customers rely on this bug for their code to work
@@vytah XKCD 1172, as always
You will eat zee bugz
You vil be backdoored. And you vil be happy
So it was the Germans all along. I knew they were too calm
No. I vill never eat zee bugs, or live in zee pod.
That WEF dude looks like the final Boss of the New World Order ...
Until you beat him (after few retries and at a higher lvl) and then you face the TRUE final boss ...The Ultimate Lizard!
@ahmedp8009 Majora, Phase 2?
Shout out to Frostb1te for releasing a PoC early on. I bet there would've been a HUGE panic if no PoC was released and the 10/10 rating went through people imaginations.
Imagine not sanitizing inputs and then beeing confused to get remote code execution. It's like people have forgotten about sql injections
Lmao yea, the only part I'm surprised about is that you actually need the escape character 😂
so true. i still dont understand how giving the user access to directly modify a command that will be executed is a windows vulnerability
It's more like the programmer was using a prepared statement and got an SQL injection anyway. The API was supposed to do all the necessary escaping
sql injection is like the very first thing people teach you about hacking... so its insane to think app devs dont sanitize their inputs, specially when letting a user execute a bat file on their server.... which on itself is such a bad thing to do.
Please watch 5 minutes into the video
"There's this new 10/10 vulnerability on windows man!"
"Oh yeah ? Can you reproduce it ?"
"Yeah! You need to sacrifice a goat at midnight while it's a full moon, then wait to get struck by lightning. Once you're at the hospital and you see the doctor, you need to slip this magic medallion into his pocket, and then you need to have a baby with the nurse. Then you'll get remote code execution on your computer. This is abhorrent man."
I still think it should be patched, but 10/10 vulnerability ? lol, it just desensitizes people who are less informed about IT security. ;o
The steps you've listed is probably just a usual Saturday night for a Rust dev
@@rusi6219 rofl I don't touch rust at all, thanks for the enlightening statement. :D
By the way even Windows APIs find it too difficult to encode separate args into a command-line string. You can get the arguments out of the command line string by calling CommandLineToArgv but the windows APIs provide no encoder (i. e. there is no ArgvToCommandLine). Rust got the implementation of this encoder wrong. (ya see folks, microsoft wisely did not even try)
Here's the thing: cmd.exe has a completely different decoder, and in theory any program can have a different decoder. For example, programs compiled under Cygwin have a decoder that autoexpands glob patterns. All those vulnerable runtimes implement the encoder for the standard argument encoding correctly, it's just it's not the only encoding they need to care about.
> Here's the thing: cmd.exe has a completely different decoder
Well you mean that cmd does not use CommandLineToArgvW. well, CommandlineToArgv would split `hello" & mspaint.exe` into `hello` and `& mspaint.exe`, so probably yes.
> it's just it's not the only encoding they need to care about.
Well windows has weird rules about argument quoting. I read an article "A Better Way To Understand Quoting and Escaping of Windows Command Line Arguments" once but it now only available on the archive that explains it.
> All those vulnerable runtimes
Well most of the programs that are using these decoders are not shells, so they will not run arbitrary commands. If you already have access to the commandline flags, then you can often pretty much everything the program can do, there is no need to trick the argument parser.
@@alexandermaximilianoetken7265 There are no rules about arguments quoting in Windows because any program can parse the command line in any way it sees fit.
@@dm-vh3xj Well I was talking about the standard rules. Of course you can parse the way you want.
@@alexandermaximilianoetken7265 if by standard rules you mean cmd.exe rules then I agree.
This is overblown, this shouldn't be 10/10
Agreed
True, still a pretty big oversight.
If the program is vulnerable, then an unprivileged user can, over the network, run arbitrary code on the target machine, without anyone else's input, and it's very easy to do so. 10 seems reasonable.
Scoring does not take into account how often the vulnerability occurs.
10 is for things access escalation and remote code.*both* not one or the other
Sanitization of user input is always the developers job, not the language. Calling this a 10/10 critiral vulnerability is like saying that every language you can think of for web development with SQL bindings has problems because SQL injection can be performed if you don't properly sanitize the inputs. It's not the fault of the language.
Yea this should be like a 2/10. If I were writing code that took user input and performed bash on it I'd probably expect that if I didn't sanitize it the user could do RCE. The only thing I'm surprised about is you need the escape character 😂
The difference being developers are almost never expected to do the basic parsing that tells their program which arguments it has received.. which is what this bug concerns.
If I understand the issue properly, the vulnerability allows someone to escape any sanitisation.
Ideally, sanitization should not be necessary, and parameters/arguments should be passed separately so the reciever can handle them appropriately. SQL does that through the use of parameters in the query. The problem here was that the user input was passed in as an argument, which was expected to be safe.
@@guiorgy I think you're confused because "SQL" doesn't sanitize anything. I'm pretty sure you're talking about prepared statements and the implementation of prepared statements is at the application level.
It doesn't really matter if theres any privilege escalation because average winddos user will run everything as administrator anyway
The TempleOS way Windows users are clearly superior to you
Or they will just bypass it with cmstp or fodhelper (It's kinda patched but still works with dll injecting) exploit.
haha, i use linux, i'm so much better than everyone else. anyone who uses windows must be a retard, amrite guys? /s
That doesn't matter because apps can just bypass the UAC
What if you have completely uninstalled all windows apps like the store, edge, all the app extensions, and one drive of course and then all telemetry i can. I sometimes completely block the updates and ports too
Well, the liblzma/xz bug did certainly not backdoor the "ssh process for most of the linux servers out there on the internet". The bug was found shortly after it was introduced and is not compiled into every version of sshd. Unless most servers on the internet use a bleeding edge version of the library, few servers was actually was affected.
I do NOT want to watch anybody cooking parrots.
@@flowerpt 😂😂😂
My understanding is that it could have had a massive impact had it not been detected so soon. It took a month to detect the malicious code, if stable distro updates had been released then it is very reasonable to believe hundreds millions of computers would have been affected.
@@waterbloom1213 Yes! That is my understanding as well. However it did not backdoor most linux servers on the internet. The number of internet facing servers actually affected was probably limited. Furthermore, to actually use the backdoor the attacker needed a private key. It is possible that the person who introduced the backdoor wanted to sell the private key or somehow make money of it in some other way, but unless you had the private key you could not use the backdoor.
Nevertheless, in the video the claim is that the "ssh process for most of the linux servers out there on the internet" had the backdoor. This is simply not true.
he parrots headlines and fills in the blanks with his biased “facts”.
its actually getting kinda annoying. also, why does the thumbnail imply RUST is the problem…but he says windows..
"Won't fix" is code for "skill issue"
or the fact that literally nobody has used java over version 8
Bobby Tables strikes again.
That's Bobby 'Drop Table Users 😎
7:15 if there is a program that does this, then it runs on Windows Vista, is written in Java 6, and specifically relies on this bug to work.
classic xkcd 1172
@@RenderingUser Correct. I should have thought of that.
LMFAO i love how u replaced rust with windows and i agree
same
I mean its the window commands that are rediculously bloated
Clickbait, unfortunately. I fell for it.
Future programs should be memory safe (and contain our backdoor).
Nice Wojaks. Not sure if anyone else has complimented the channel’s use of wojaks in its thumbnails.
brainlets :D
It's the reason I click
@@calligraphysthetic they just like me fr?
Not sure wojaks but I know the thumbnail monerochans are well appreciated
@@synexiasaturnds727yearsago7 fax frfr
This is the best timing. Right during the lunch break of your average wagie:)
Why tf would you call a batch file from any other language?
Thanks for making this clear 🙏
mental outlaw is a rust dev now 👀
It's not a bug tbh, the code does what it supposed to do, you can write the same code in cpp or cs and expect the same result.
i think the code is supposed to do proper escaping according to the documentation, so it is indeed a bug
@@asdfghyterI think CMD is just to old and abused. The issue is just that cmd is Windows /bin/sh programs frequently start subprocesses in shells it's not so new or bad just not for remote applications.
Then why constantly point out things that are lesser problems to this in C to shill Rust?
@@rusi6219impact and decades of observed experience.
I do think this is a bug because the function claims it sanitizes inputs. It is more on windows for being shitty but the function shouldn’t say one thing and do another.
@@BjornBidar i mean sure, that’s the main cause of the issue, but because the rust code decided to take on that responsibility by saying that it escapes it in the documentation, it does indeed have that responsibility. if it said “don’t use this on windows, [do other thing] instead” or something, then it wouldn’t be a bug. or if it said “you’re responsible for escaping and ensuring no command injection” it would also be fine
He really said "cmd.exe is bloated"... Like is it though? I have no idea, I'm not the type of nerd to judge that but it seems like a bit of a hot take...? That line would feel right at home on an "avarage linux user" soyjak meme, is all I'm saying
It's a poor take. This is not the OS's fault.
It’s pretty accurate.
U really think it’s not lmao? Benchmark ur commands.
@@ohmsohmsohms comparing against what?
Everyone who's anyone on Windows uses Powershell/Terminal anyways. Linux just had a major security vulnerability. It's just Linux bros reaching.
You are very wrong about how common or wrong this pattern (user input to shell) is.
This is super common, mainly when a software needs to call utils like ffmpeg or whatever, and that is quite often based on a file path the user inputs.
Sure, the app should always verify the parameters instead of a blind injection, but still very common and not an issue or stupid idea like you are saying.
This does not work with arbitrary executables. You need to call cmd.exe specifically, directly or via bat file.
@@mk72v2oq And if you are writing `.bat` file it's very unlikely you won't invoke `cmd.exe` within it, since you are already in the territory of writing an ad-hoc script for you needs.
@@ra2enjoyer708 cmd is always invoked there. I.e. calling 'test.bat' implicitly expands into 'cmd.exe /c test.bat'. That's why the attack is possible in the first place.
Lol, reminds me when people were able to open the cd drive of those playing counter strike in the olden days...
On another note, I love 2:36 with the second person manually handing over a normal, presumably *disconnected* keyboard for them to type on.
This bug would be fun to set up in the THM room about command injection. It had an example of a website that pings a domain to see if its up and showed how you can use escape characters to run other bash commands.
When I was doing that room my first thought was "but who would just pass arguments straight through to command line from a website?
If mistakes when using languages like C++ are considered a flaw in the language then this is also a flaw in Rust and a Windows vulnerability. Corporations want to use code monkeys to pay them peanuts, they don't want to pay for professionals. That is the real problem.
This flaw is with C++, the flaw is in the C++ Windows API because Windows doesn't provide a parameterized way to pass the info, so rust has to parameterize then unparameterize it, but it wasn't doing that which is the problem. every other platform accepts parameterized natively.
All these idiots with college degrees to code don't even know how to find the critical bugs 😂 they are still on kindergarten level understandable .
I would have loved to also see a demo how after an update to Rust 1.77.2 the command execution no longer works.
I think I remember similar bugs in PowerShell back in the day...
How is this a bug in the caller? They pass along the entire string as first argument, like: execve("my.bat", ["text\" & calc.exe", …])
Looks like batch, PowerShell, or whatever that is, first assembles the line and only then parses it for execution, now finding two commands.
I disagree, it is not a Windows issue. I don't know why this is being flagged as a Windows issue, as it could easily have been a problem with other operating systems if following a similar pattern. It's the developer, not the OS's responsibility, to sanitize user inputs.
No clue why they rated this 10/10. It's a bad bug but it isn't 10/10 bad.
Ah, yes the rust NSA backdoor’s been finally found I can sleep well knowing my windows 2000 server instance is safe
Nsa is probably like: goddamn, my backdoor code doesn't run on that ancient piece of tech anymore, what sorcery is this?!
now we call all laugh at the people who said "thats why i dont use linux"during xz
Ong man
Xz is a backdoor which got stopped in time.
In windows who knows how many backdoors are put there INTENTIONALLY
That's the difference: on linux it gets caught at some point, in windows, windows itself is a backdoor into your ass
@@no_name4796 There's already a ton in linux as well, you just don't know about them. The XZ utils backdoor was just one that happened to be caught.
@@kristoffer8609I believe that if you can prove it. The main disadvantage with xz vulnerability was a systemd dependency with sshd.
There's is no a way hack Linux because it is not standardized. But using most basic and used packages could be ways to hack the system but who knows if there are major vulnerabilities.
For example, let's imagine you said. There are 17 backdoors on Linux systems, with ofuscated and hidden malware. If you can't prove it just a phrase.
@@kristoffer8609 If you want secure, you will have to live with the joys of using a microkernel.
ok well, what if I like bugs?
Bugposter alert
Random bug event!!!
YOU WILL EAT THE SOFTWARE BUGS AND YOU WILL BE HAPPY
@@z_z Careful there. You're gonna ratio yourself.
@@j100j the only ratio you should be concerned about is the ratio of homes you don't own to the homes blackrock owns
Estos dias se estan poniendo buenos los cve, ojala sigan buscando par cosas como estas
Log4J was a mistake caused by feature creep without feature config defaults that were rational for an open source project that wasn't properly funded and supported by the community the ssh backdoor was intentional attack using next level social engineering with complicated obfuscation on an open source project as well
A really common place you'll find people passing user input to batch files is gonna be wrapper scripts that set up the user environment prior to invoking whatever command was provided.
I can think of a few common programs where the user always interacts with it through a batch file to make sure there are never any dumb errors due to environment configuration.
If you expose one of those to a web service like a continuous integration build service, maybe you'll have something to think about.
I don't see how this is a Windws problem. CMD does exactly what it's supposed to do.
Yes it's a Rust issue
So basically most normal people were not affected by this bug but now we know for sure it’s window’s fault😅
No it's more the language libraries fault, it's their job to properly escape arguments, but can say that Windows makes it complicated to do that.
World: XZ backdoor vulnerability
MO: Let’s talk about Windows Vulnerability
This month is crazy for vulnerabilities. Good to know that they are being revealed before non-federal agents use them.
Great video Thank you
You know thinking of different coding languages and knowing that one day they will basically end up at the same place, it always takes me back to those futuristic cartoon and TV shows from the 80s and 90s where someone executed something on a computer and there is some very slow moving timer or meter crawling across the screen despite the fact that we know that far in the future commands should be executed nearly instantaneously.
Makes me wonder if this future code or computer infrastructure has resistors across computer connections that allows or requires arbitrary amounts of time to pass before a command is executed in order to prevent a bunch of instantaneous actions from occurring that humans wouldn't be able to prevent or detect similar to what you would see in a bunch of updates processing in Linux via the terminal flashing by.
Data resistors. Required security feature in the future
Then there should be data coils and capacitors too...data transformers too....err, maybe that's LLMs?
More like a futuristic machine will have to allocate 4/5th of its RAM for all DRM-ladden frameworks in order to pass the command through all of them.
Why do you call it a bug? It's obviously a feature duuh
hi kenny... could you please do an update video on the best recent practices of VPNs, like openVPN, mullvad, and wireguard (now that i'ts becoming older) and vultr hosting (this one, I don't think your referral code still working), doesn't need to be about installation, just on overview. Thanks
One problem is that the libraries of these programming languages hide these shell shenanigans behind something that looks simple and reasonable enough so that any useful docs, if these exist, will not be read carefully, if at all. First and foremost, they offer some sort of arg list/array that reinforces the expectation that arg handling/escaping will be done by the library - as it should be.
This whole cluster f"*ck is unnecessary anyway. Windows, like other MP OSes, does have a Win32 API for direct process creation without cmd.exe (shudder).
Anyway, anyone who gets bit by direct exploitation due to lacking input sanitation earns part of the blame.
Sounds like a windows issue. Glad I switched
Excellent when access is already gained ....
To get your day started.
and in linux the xz hack didnt really make it out of the testing environments other than arch which wasn't effected.
Ah, so nothing of note happened at Microsoft. Good to know, thank you for informing me!
this actually is not an issue
windows administration catches bat commands executed without hierarchy
in the normative case, a file would need to ask for access which kicks in a user prompt.
Outlaw's verification is using an application that already has full permissions.
man.. i log4j feels like forever ago
Can't wait to see what windows will do (there are chances they will deny it)
Lmao the way that works id definently say some type of 3 letter word agency.Its just so funny how you did the paint.exe,
That rust library is meant to do that. It will run commands you give it. Wouldnt call that a vulnerability. Watch the video by lowlevellearning on the subject
Loved that Java won't fix it. Such chads
wonder why the whitehouse was pushing for rust over C LOL
Scary how much of the software we take as granted can have such critical flaws since only God know when
I thought the video was gonna end when he typed shutdown lol
is that why the government endorsed rust?
Precisely
No, this isn't a Rust vulnerability.
@@trollerjakthetrollinggod-e7761nothing's ever your fault
@@rusi6219 this is literally a Windows vulnerability, Linux doesn't have this. Rust can't fix the way Windows parses arguments.
No. Actually biden is a furry
10:55 Meer alcohol doesn't thrill me at all. 🙅❄👃
you help me fall asleep thank you
Kinda wild that its really just a flaw in cmd exe but people instead blame only Rust. Crab haters, man.
2024 is the year of the 10/10 CVE, apparently
Haven't made a bat file in fourteen years lol I did the math on the last time I needed to.
It was to configure PDAs used by my old organization's supply chain.
🎉 Fkn PDAs family 🎉
I mean, unless you have total memory encryption any OS is susceptible to a well carried out cold boot attack.
You’re gonna post a full video on this but not FISA 702????
reject modernity. embrace history.
reject Rust, embrace C and assembly
C and assembly is anything but history
@rusi6219 🧢
I like my language like my sex. Slow and easy like Python.
Yeah. Only the linux kernel is probably more code then most programmer will ever write in their lifes and it's mostly C
The bug is literally just having unsanitised inputs. The exact same thing would happen in C if you had the same implementation.
old bug... use ^ char to escape the " char, just like using the \ char in bash (backtick ` char in powershell)
So I have seen this in Lua projects all the time.
10:57 now, he wont freebase cocaine if he's driving, and it's a sunday.
Ah yes the motto of microsoft: better sorry than safe
Kenny can you make a video on kicksecure?
I might have written something years ago, that is vulnerable to that. Don't know if I still have the source. It's a small spring boot web app calling wkhtmltopdf like that which passes a URL from user input as command line argument. And if someone like me has done it, I don't think you can "count the number of vulnerable apps on your fingers and toes" anymore.
did you send that url to a bat file
If you want to be safe from Windows Command Injection Bug, just don't use Windows.
This ☝️
If you want to spend four hours each day getting correct drivers and finding versions that actually work with your hardware then don’t use Windows.
If you want to be safe from XZ Compression Exploits, don't use Windows?
Never using Linux and everything else is outdated or doesn’t run on modern PCs. I’m never running anything except Windows because everything else is garbage. Even Windows 8 and up is garbage that should never be used. Stick to Windows 7 and never go online. Permanently safe
@@luovuttaastop with this type of comments.
Can you link the articles in the video description?
Everything vulnerable we need web based container os such as chrome os
> Media telling that the entire Linux ecosystem is compromised for xz. (But was only experimental branches)
> Windows:
There needs to be a 10.1 rating for “oh shit nuke everything this thing touched” which would be XZ.
It's not a bug ffs
I might be missing something but how is this a vulnerability if to use it you have to design an application in a specific way that allows users to send arbitrary commands, which are stored in a bat file by the application and then are run by said application with no checks at all? Do all DBMS have a critical vulnerability because you can do SQL injections with poorly written backend code?
Was that XP you were running? Based.
only 3 letter agencies use this issue. beware website makers & of generators running w/centralized server anywhere including for fixes/patches, updates or notifications
Why is Java 8 still being worked on with latest update being released in January of this year?
Anyone know what keyboard he uses or what type of keys sound like that
What a month, xz backdoor and now this
jokes on you my command prompt and power shell in windows are broken hahahaha
i swear the environment variables or something are messed up hence almost every command is broken haha ):
I'll put this out there: cmd.exe argument escaping is NOT the same as a program using UCRT (most programs).
Windows does not have argc+argv; and UCRT emulates them following a rule. cmd.exe inherited an arcane escape rules that is ever so slightly different. The (IMO) ONLY way to escape properly for cmd.exe is to use the /S flag (iirc). It removes the first quote and the last quote of the command line string.
TL;DR: blame Windows for bad design, and blame them for not addressing the bad design, and then triple blame them for not publishing THE LITERAL FIX THEY HAD WRITTEN as a part of Windows API.
Dev: There's a pretty nasty bug in you software that allows remote execution.
Java: That sounds like a you problem. Git gud.
python! os.system("echo "+inputvariable); # oh noes! Python is vulnerable too on SunOS!
I somehow actually encountered this piping commands to a c based string processing program through python.
A little strange people consider this a 10/10 vulnerability. This is at most like a 3/10 vulnerability with a 10/10 skill issue involved.
When it's C it's a problem with the language when it's Rust it's a skill issue
@LiveType agreed
This is such an off case user situation that I can't even start to understand where someone would actually use it.
Think of this, a RUST Server (Weird, right) taking user input and passing to .bat??? X"DDD
I can't even understand why someone would want to do that.
Also, when you've noted that this is "Not something you can handle with user input handling" I highly doubt that it's that difficult to sanitize the input.
Besides, who in their right mind would even invoke .bat from rust, it just doesn't make sense to me. Using a low level language to invoke and script a super old CLI Language.
I agree how you noted "You can probably count these on one hand".
some people think crabs look like bugs FYI