A essential safety flaw within the Rust customary library might be exploited to focus on Home windows customers and stage command injection assaults.
The vulnerability, tracked as CVE-2024-24576, has a CVSS rating of 10.0, indicating most severity. That mentioned, it solely impacts eventualities the place batch recordsdata are invoked on Home windows with untrusted arguments.
“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Safety Response working group mentioned in an advisory launched on April 9, 2024.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”
The flaw impacts all variations of Rust earlier than 1.77.2. Safety researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Heart (CERT/CC).
RyotaK mentioned the vulnerability – codenamed BatBadBut – impacts a number of programming languages and that it arises when the “programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments.”
However in mild of the truth that not each programming language has addressed the issue, builders are being beneficial to train warning when executing instructions on Home windows.
“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK mentioned in a phrase of recommendation to customers.
“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”
