Hello and welcome to the Friday, April 12, 2004 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from London, England.

Well, yesterday, a couple of listeners alerted me that the rust vulnerability that I talked about

is actually part of a bigger issue.

There's a blog post by a researcher, I guess you would pronounce it, a Ryo-Tac, that talks about

this problem.

They are calling this vulnerability bad, bad, but essentially it affects many languages that are

executing batch files on Windows. The problem here is that there is a create process API that's

commonly being used in order to execute these files.

But what happens behind the scenes is that the file name for the bad file, including any

command line arguments, are being passed to command.exe.

And that opens you to a host of OS command injection issues if you're not very carefully escaping any of the command

line arguments. One issue that's in particular kind of tricky to track is that after you

may do the escaping and after you then sent all that data, meaning the file name for the bad file and the command

and arguments to command.exe, environment variables that may be present in the command line

will be expanded. This is in particular an issue since by default you have the special

variable called command command line, which expands to double quotes. So an attacker

could include percent command, command, command line percent, which will then after you do all of

your escaping, expand it to a double quote, and as a result, may again get you back into OS command

injection territory. So Rust made a patch available.

I just saw earlier a Node.js patch that looks like it fixes this issue, even though this

particular issue is not quite credited in the release that I've seen.

...