Multiple programming languages fail to escape arguments properly in Microsoft Windows

Overview

Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.

Description

Programming languages typically provide a way to execute commands (for e.g., os/exec in Golang) on the operating system to facilitate interaction with the OS. Typically, the programming languages also allow for passing arguments which are considered data (or variables) for the command to be executed. The arguments themselves are expected to be not executable and the command is expected to be executed along with properly escaped arguments, as inputs to the command. Microsoft Windows typically processes these commands using a CreateProcess function that spawns a cmd.exe for execution of the command. Microsoft Windows has documented some of the concerns related to how these should be properly escaped before execution as early as 2011. See <https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way&gt;.

A vulnerability was discovered in the way multiple programming languages fail to properly escape the arguments in a Microsoft Windows command execution environment. This can lead confusion at execution time where an expected argument for a command could be executed as another command itself. An attacker with knowledge of the programming language can carefully craft inputs that will be processed by the compiled program as commands. This unexpected behavior is due to lack of neutralization of arguments by the programming language (or its command execution module) that initiates a Windows execution environment. The researcher has found multiple programming languages, and their command execution modules fail to perform such sanitization and/or validation before processing these in their runtime environment.

Impact

Successful exploitation of this vulnerability permits an attacker to execute arbitrary commands. The complete impact of this vulnerability depends on the implementation that uses a vulnerable programming language or such a vulnerable module.

Solution

Updating the runtime environment

Please visit the Vendor Information section so see if your programming language Vendor has released the patch for this vulnerability and update the runtime environment that can prevent abuse of this vulnerability.

Update the programs and escape manually

If the runtime of your application doesn’t provide a patch for this vulnerability and you want to execute batch files with user-controlled arguments, you will need to perform the escaping and neutralization of the data to prevent any intended command execution.

Security researcher has more detailed information in the blog post which provides details on specific languages that were identified and their Status.

Acknowledgements

Thanks to the reporter, RyotaK.This document was written by Timur Snoke.

Vendor Information

123335

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Haskell Programming Language __ Affected

Notified: 2024-03-21 Updated: 2024-04-10

Statement Date: April 10, 2024

CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

• <https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md&gt;

Vendor Statement

The Haskell process library is affected. We assigned HSEC-2024-0003 for this issue. A fix was released in process-1.6.19.0.

References

• <https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md&gt;

Node.js __ Affected

Notified: 2024-02-22 Updated: 2024-04-12

Statement Date: February 26, 2024

CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

References

• <https://nodejs.org/en/blog/release/v18.20.2&gt;
• <https://nodejs.org/en/blog/release/v20.12.2&gt;
• <https://nodejs.org/en/blog/release/v21.7.3&gt;

CERT Addendum

Added references.

Rust Security Response WG __ Affected

Notified: 2024-02-22 Updated: 2024-04-10

Statement Date: April 10, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Not Affected CVE-2024-24576

Vendor Statement

Rust is affected by this, and we issued CVE-2024-24576 to track the issue. Rust 1.77.2 fixes the vulnerability, and we recommend affected users to recompile their programs with the new compiler version.

References

• <https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh&gt;
• <https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html&gt;

The PHP Group Affected

Notified: 2024-02-22 Updated: 2024-04-10

Statement Date: February 22, 2024

CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

yt-dlp __ Affected

Notified: 2024-03-21 Updated: 2024-04-10

Statement Date: April 10, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Affected CVE-2024-24576

Vendor Statement

yt-dlp is affected and CVE-2024-22423 was issued to track the vulnerability

References

• <https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p&gt;

Go Programming Language Not Affected

Notified: 2024-02-22 Updated: 2024-04-10

Statement Date: March 14, 2024

CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Microsoft __ Not Affected

Notified: 2024-02-22 Updated: 2024-04-18

Statement Date: April 17, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Not Affected CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

This issue was identified by Microsoft in 2011 and continues to be a problem today. Thanks to a security researcher, the vulnerability is receiving greater attention and additional mitigation are being developed.

PostgreSQL Not Affected

Notified: 2024-02-22 Updated: 2024-05-13

Statement Date: May 10, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Not Affected CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Red Hat Not Affected

Notified: 2024-02-22 Updated: 2024-04-10

Statement Date: April 10, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Not Affected CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

R Programing Language Not Affected

Notified: 2024-04-10 Updated: 2024-05-13

Statement Date: May 13, 2024

CVE-2024-1874	Not Affected
CVE-2024-22423	Not Affected CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Erlang Programming Language __ Unknown

Notified: 2024-04-02 Updated: 2024-04-10

Statement Date: April 09, 2024

CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576
erlang:open_port/1,2 with the spawn and spawn_executable options are vulnerable and should not be used with untrusted input.

Dart Programming Language Unknown

Notified: 2024-04-02 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Julia Language Security Reporting Unknown

Notified: 2024-04-10 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

MySQL Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

MYSQL2 Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Perl Developers Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Python Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

Ruby Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

SQLite Unknown

Notified: 2024-02-22 Updated: 2024-04-10 CVE-2024-1874	Unknown
CVE-2024-22423	Unknown CVE-2024-24576

Vendor Statement

We have not received a statement from the vendor.

View all 20 vendors __View less vendors __

References

• <https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way&gt;
• <https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/&gt;
• <https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7&gt;
• <https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh&gt;
• <https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p&gt;
• <https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2&gt;
• <https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md&gt;
• <https://osv.dev/vulnerability/HSEC-2024-0003&gt;

Other Information

CVE IDs:	CVE-2024-1874 CVE-2024-22423 CVE-2024-24576 CVE-2024-3566
API URL:	VINCE JSON
Date Public:	2024-04-10 Date First Published: