A vulnerability in popular programming languages allows hackers to remotely inject code into the system.
A vulnerability has been discovered in the standard library of the Rust programming language that allows malicious code to be executed on Windows.
CVE-2024-24576 (CVSS score: 10) is related to an error in the OS's command and argument passing mechanism, which allows an authenticated attacker to remotely execute malicious code without user interaction. The attack has a low complexity of execution.
The Rust Security Threat Response Team has been notified that the Rust standard library cannot properly escape arguments when calling batch files (with bat and cmd extensions) on Windows using the Command API.
A cybercriminal who controls the arguments of a running process can execute arbitrary commands in the shell, bypassing escaping. The critical value of the vulnerability is noted when calling batch processing files on Windows with unreliable arguments. Other platforms or use cases are not at risk.
The problem affects all versions of Rust prior to 1.77.2 on Windows if the program code or one of its dependencies calls and executes batch processing files with unreliable arguments.
The Rust security team encountered a difficulty issue cmd.exe and I couldn't find a solution that correctly escapes arguments in all cases. As a result, the reliability of the escape code has been improved and the Command API has been changed. If the Command API cannot safely escape the argument when creating the process, an InvalidInput error is returned.
An engineer from Flatt Security, Retak, who discovered the vulnerability and named it BatBadBut, notes that it also affects other programming languages. However, not all of them have been patched.
Retak recommends that you move batch files to a directory that is not included in the PATH environment variable to prevent unexpected execution. This will help you avoid executing them without specifying the full path.
A vulnerability has been discovered in the standard library of the Rust programming language that allows malicious code to be executed on Windows.
CVE-2024-24576 (CVSS score: 10) is related to an error in the OS's command and argument passing mechanism, which allows an authenticated attacker to remotely execute malicious code without user interaction. The attack has a low complexity of execution.
The Rust Security Threat Response Team has been notified that the Rust standard library cannot properly escape arguments when calling batch files (with bat and cmd extensions) on Windows using the Command API.
A cybercriminal who controls the arguments of a running process can execute arbitrary commands in the shell, bypassing escaping. The critical value of the vulnerability is noted when calling batch processing files on Windows with unreliable arguments. Other platforms or use cases are not at risk.
The problem affects all versions of Rust prior to 1.77.2 on Windows if the program code or one of its dependencies calls and executes batch processing files with unreliable arguments.
The Rust security team encountered a difficulty issue cmd.exe and I couldn't find a solution that correctly escapes arguments in all cases. As a result, the reliability of the escape code has been improved and the Command API has been changed. If the Command API cannot safely escape the argument when creating the process, an InvalidInput error is returned.
An engineer from Flatt Security, Retak, who discovered the vulnerability and named it BatBadBut, notes that it also affects other programming languages. However, not all of them have been patched.
- Erlang (documentation update);
- Go (documentation update);
- Haskell (fix available);
- Java (not fixed);
- jsNode. (a fix will be available soon);
- PHP (fix will be available soon);
- Python (documentation update);
- Ruby (updating the documentation).
Retak recommends that you move batch files to a directory that is not included in the PATH environment variable to prevent unexpected execution. This will help you avoid executing them without specifying the full path.
