Listen to this Post
The vulnerability exists because the Windows `CreateProcess` API, which Deno’s subprocess spawning mechanisms ultimately use, implicitly interprets batch files (.bat, .cmd) by launching cmd.exe. This behavior allows any arguments passed to the batch file to be treated as direct commands for the command interpreter. When user-controlled, unsanitized input is included in the `args` array for a batch file target, `cmd.exe` will parse and execute the injected command. For example, an argument like `&calc.exe` is not treated as a simple string but as a new command, leading to arbitrary code execution. This bypasses the security model of Deno’s permission system, as the `–allow-run` flag grants the necessary capability for this underlying Windows mechanism to be exploited.
Platform: Deno
Version: <= 2.5.1
Vulnerability: Command Injection
Severity: Critical
date: 2024-10-23
Prediction: 2024-11-06
What Undercode Say:
deno run --allow-run exploit_script.ts
const cmd = new Deno.Command('script.bat', { args: [bash] });
cmd.spawn();
How Exploit:
Attacker passes `&calc.exe` as an argument to a batch file, which `cmd.exe` executes.
Protection from this CVE
Update Deno to version >2.5.1. Sanitize all user input for batch file arguments.
Impact:
Arbitrary command execution on Windows, bypassing Deno permissions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
