Rust Triggers Remote Windows Capture

In a recent discovery, the programming language RUST has been found to have a vulnerability that allows for the execution of malicious code in Windows.

CVE-2024-24576 Assessment of the commands of the command of commands And the arguments of the OS, which allows an authenticated attacker to remotely execute the malicious code without interaction with the user. The attack has a low complexity of execution.

The Rust Security Group was alerted to the issue that the standard Rust library fails to properly screen arguments when calling batch files (with BAT and CMD extensions) in Windows using the Command API.

Cybercentor, overseeing the arguments of the neglected process, can execute arbitrary commands in the shell, bypassing shielding. The vulnerability is particularly critical when calling package processing files on Windows with unreliable arguments, posing no risks to other platforms or use cases.

This vulnerability affects all versions of RUST up to 1.77.2 on Windows, if the program code or one of its dependencies calls and executes package processing files with unreliable arguments.

The Rust security team encountered difficulty in properly shielding arguments using CMD.exe and consequently improved the reliability of the shielding code and modified the Command API. Any failure to safely screen the argument during process creation now results in an Invalidinput error.

Engineer Ryte from Flatt Security, who discovered the vulnerability dubbed Batbadbut, highlights that it also affects other programming languages. While corrections have been made for some, others are still vulnerable.

  • erlang (updating documentation);
  • go (updating documentation);
  • haaskell (correction available);
  • java (not fixed);
  • node.js (correction coming soon);
  • php (correction coming soon);
  • python (documentation update);
  • Ruby (documentation update).

To prevent the unintended execution of package files, it is recommended to relocate them to a directory not included in the PATH environment to avoid execution without specifying the full path.

/Reports, release notes, official announcements.