• hatedbad@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    7 months ago

    even in your hypothetical of a file name passed in through the args, either the attacker has enough access to run said tool with whatever args they want, or, they have taken over that process and can inject whatever args they want.

    either attack vector requires a prior breach of the system. you’re owned either way.

    the only way this actually works as an exploit is if there are poorly written services out there that blindly call through to CreateProcess that take in user sourced input without any sanitization, which if you’re doing that then no duh you’re gonna have a bad time.

    cmd.exe is always going to be invoked if you’re executing a batch script, it’s literally the interpreter for .bat files. the issue is, as usual, code that might be blindly taking user input and not even bothering to sanitize it before using it.

    • arendjr@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      take in user sourced input without any sanitization

      But that’s exactly the problem: these applications were sanitizing the input using the APIs provided by their language standard libraries. Except that sanitization proved insufficient because the requirements for sanitization differ greatly when the command is interpreted by cmd.exe as opposed to running regular executables. This is such a big footgun in the Windows API that it was overlooked by seemingly every major programming language implementation out there.