Posted by Julian Horoszkiewicz on Nov 13

Unexpected behavior of cmd.exe while processing .bat files leads to
potential command injection vulnerabilities
Tested on: Windows 7, Windows 10
Author: Julian Horoszkiewicz

It was discovered that cmd.exe, when processing .bat files, treats the
ASCII substitute character (code 26) as a command separator (like & or |).
This opens the way for unexpected command injection vulnerabilities in
applications which generate .bat files based on user…