Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The vulnerability is a known issue that was originally processed over 10 years ago. However, it's such a common mistake that languages keep making the mistake again and again. When executing system commands via a subshell, it's important escape these characters. Otherwise, command injection can be used to control the system. Most languages have this feature and it works well.

In order to prevent command injection, the malicious inputs are commonly escaped. Additionally, the inputs can be processed with a unique argument context, preventing the meaningful bash metacharacters from doing anything on Linux and Mac. On Windows, the process is entirely different though.

When executing a .bat (batch) file on Windows, the OS will automatically do C:\Windows\System32\cmd.exe .\test.bat within CreateProcess. Most languages want to escape the input being used in order to prevent command injection. However is this escaping done? Using backslashes! However, unlike Linux, Windows doesn't process these as an escape - it uses ^. So, \" is insufficient.

This leads to shell metacharacters being able to break out of the escaping! For instance, using "&calc.exe as the input for a spawn in NodeJS will execute calc. This leads to command injection on Windows systems whenever a batch file is used and inputs can be provided to it.

The obvious way to fix this would be using a caret(^) instead of backslash. However, the command prompt will expand variables inline before other parsing. So, it's possible to use substring of ENV variables to add in your own quotes once again, which is bad. How do we actually fix this then?

As a developer, fixing this issue is super tricky because of the issue mentioned above. It involves disabling the automatic escaping then replacing a bunch of dangerous characters by hand. As a runtime maintainer, no extra info was added but was something that just needs to be fixed... weird.

Overall, a weird vulnerability in the interoperability of different systems. The bug has been around for a while! I enjoyed the debunking of the obvious fix in my mind as well.