Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc.
Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied.
Today, affected vendors published advisories of these vulnerabilities 1, so I’m documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score.
But that’s exactly the problem: these applications were sanitizing the input using the APIs provided by their language standard libraries. Except that sanitization proved insufficient because the requirements for sanitization differ greatly when the command is interpreted by
cmd.exeas opposed to running regular executables. This is such a big footgun in the Windows API that it was overlooked by seemingly every major programming language implementation out there.