A critical security vulnerability in the Rust standard library could be exploited to target Windows users and launch command injection attacks.
The vulnerability is tracked as CVE-2024-24576, a CVSS score of 10.0, indicating the highest severity. That is, it only affects scenarios where batch files are called with untrusted parameters on Windows.
The Rust Security Response Working Group stated in an announcement on April 9, 2024: “When using the Command API to call a batch file (with bat and cmd extensions) on Windows, the Rust standard library is not properly escaped. parameter.”
“An attacker with control over the arguments passed to the spawner could execute arbitrary shell commands by bypassing escapes.”
This flaw affects all Rust versions prior to 1.77.2.security researcher fertile land The error has been discovered and reported to the CERT Coordination Center (CERT/CC).
RyotaK stated that the vulnerability (codenamed BatBadBut) affects multiple programming languages and occurs when “the programming language wraps the CreateProcess function.” [in Windows] And add an escaping mechanism for command parameters. “
However, since not all programming languages address this issue, developers are advised to exercise caution when executing commands on Windows.
“To prevent unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in advice to users.
“In this case, the batch file will not be executed unless the full path is specified, thus preventing accidental execution of the batch file.”
