In this post, we will discuss a recently found vulnerability, CVE-2024-36138, which bypasses the incomplete fix of CVE-2024-27980. This vulnerability arises from improper handling of batch files with all possible extensions on Windows operating systems while using child_process.spawn or child_process.spawnSync functions. The exploit allows a malicious command-line argument to inject arbitrary commands and achieve code execution even without enabling the shell option.

What is CVE-2024-27980?

CVE-2024-27980 is a vulnerability that was identified earlier, and it stemmed from the mishandling of batch files in Windows when using child_process.spawn and child_process.spawnSync functions. The primary issue with the vulnerability was that it allowed an attacker to inject arbitrary commands through command-line arguments, ultimately leading to potential code execution.

However, the fix provided for CVE-2024-27980 had shortcomings, and CVE-2024-36138 serves as a bypass for that incomplete fix.

The Exploit Details

The main issue lies in the improper handling of batch files with different extensions in Windows via child_process.spawn and child_process.spawnSync functions. In Windows, batch files can have any of the following extensions: .bat, .cmd, .btm, .avbs, .cscript, .jscript, and .wsf.

CVE-2024-36138, the bypass for the earlier fix, exploits this by making use of any of these extensions, essentially replicating the same vulnerability as CVE-2024-27980.

Here's a simple code snippet that demonstrates the vulnerability

const { spawn } = require('child_process');

const command = 'calc.exe';
const args = ['&', 'notepad.exe'];

const child = spawn(command, args, { shell: false });

In this example, a simple command to open the Windows Calculator is executed, followed by the opening of Notepad. However, the vulnerability allows an attacker to inject arbitrary commands, potentially leading to code execution.

The original CVE-2024-27980 vulnerability was first reported here

- CVE-2024-27980

And the fix provided for that vulnerability here

- Fix for CVE-2024-27980

Now, the newer bypass of the incomplete fix is presented in CVE-2024-36138

- CVE-2024-36138

Mitigation and Recommendations

To mitigate this vulnerability, developers must ensure that the security patches provided by the software vendor are up-to-date. Also, take care to sanitize input arguments and avoid using shell option when it's not necessary. In addition, developers should apply stringent checks on any user-provided input to prevent the possibility of arbitrary code execution through malicious command-line arguments.

- Node.js Security Best Practices

Conclusion

CVE-2024-36138 is an important security vulnerability that bypasses the incomplete fix of CVE-2024-27980. This highlights the significance of understanding the root cause of an issue and identifying potential related or similar vulnerabilities. Proper handling of batch files in child_process.spawn and child_process.spawnSync functions is critical to prevent arbitrary code execution. By following security best practices and remaining vigilant with updates, developers can effectively safeguard their applications against this type of vulnerability.

Timeline

Published on: 09/07/2024 16:15:02 UTC