The recent (September 2014) disclosure of a command insertion vulnerability for command-shell scripts (batch files), by The Security Factory, made it painfully clear that batch files can be vulnerable to exploits.
Code Insertion, in short, means input (data) is (unintentionally, for the script author anyway) interpreted as code to be executed.
Batch files are extremely "weakly typed" (to use the understatement of the millennium): everything is a string, and a string can be everything, command as well as data, and there is no way to distinguish between the two.
This makes batch code insertion more than just a potential threat.
The vulnerability disclosure discusses a real-life scenario: with the dynamic system variable
%CD% used unquoted in a batch file running on a (file) server, a simple exploit could get (malicious) code executed with elevated privileges.
The solution offered is to use doublequotes:
"%CD%", which does indeed inhibit the vulnerability.
Sometimes however, using doublequotes isn't an option, but checking my own batch files I always found a solution that did inhibit the vulnerability.
|Note:||As was stated in the disclosure, quoting
If a variable (e.g.
To test your own batch files for this particular vulnerability, you can run the following batch code against your batch files directory:
@ECHO OFF IF NOT "%~1"=="" PUSHD "%~1" FOR %%A IN (*.bat *.cmd) DO ( TYPE "%%~A" | FIND /I /N "%%CD" | FINDSTR /R /I /C:"[^""]%%CD[:%%]" IF NOT ERRORLEVEL 1 ( ECHO.========== "%%~nxA" ========== ECHO. ECHO. ) ) IF NOT "%~1"=="" POPD
The code first uses FIND to search for
%CD, and then uses FINDSTR to filter out
"%CD and variables whose names start with but are not equal to CD (e.g.
/N switch is used to display the line numbers.
If you expect more "advanced" variations like
%__CD__% too, adapt the code accordingly.
Instead of this batch code, you could also use BatCodeCheck to test for this particular vulnerability plus many common errors.
BatCodeCheck will test for all known variations of this vulnerability.
%CD%to build a path which will then be doublequoted, try building the path immediately and doublequote it immediately
FOR %%A IN ("part1") DO FOR %%B IN ("part2") DO SET part1and2="%%~A%%~B"(or
CD | FIND "&" && EXIT /B 1
DIR . /AD /S /B | FIND "&" && EXIT /B 1
page last modified: 2017-03-06