Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Programmers are being urged to update their Rust versions after the security experts working on the language addressed a critical vulnerability that could lead to malicious command injections on Windows machines.

The vulnerability, which carries a perfect 10-out-of-10 CVSS severity score, is tracked as CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command.

"An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping," said Pietro Albini of the Rust Security Response Working Group, who wrote the advisory.

The main issue seems to stem from Windows' CMD.exe program, which has more complex parsing rules, and Windows can't execute batch files without it, according to the researcher at Tokyo-based Flatt Security who reported the issue.

Albini said Windows' Command Prompt has its own argument-splitting logic that works differently from the usual Command::arg and Command::args APIs provided by the standard library, which typically allow untrusted inputs to be safely passed to spawned processes.

"On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them," said Albini. "Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are split.

"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution."

Chris Denton, a contributor to Rust's std library, developed the fix that mitigated the issue, which involved making improvements to the escaping code and ensuring the Command API returned an InvalidInput error when it can't safely escape arguments.

• Rust developers at Google are twice as productive as C++ teams
• Rust can help make software secure – but it's no cure-all
• Google throws $1M at Rust Foundation to build C++ bridges
• Microsoft seeks Rust developers to rewrite core C# code

The team couldn't pinpoint a fix that would escape arguments in every case, owing to the complexity of Microsoft's command prompt, Albini said.

"If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library's escaping logic."

Rust released version 1.77.2 on Tuesday, saying that every version that came before it is vulnerable.

The language is a fan favorite, routinely topping Stack Overflow's rankings for how enjoyable developers find Rust to use in their work, and Googlers hail its productivity benefits. It's also one of the newer memory-safe languages national security authorities are urging developers to adopt in favor of older technologies such as C and C++.

BatBadBut

According to RyotaK, the researcher who reported the vulnerability, which they are referring to as BatBadBut due to it revolving around batch files and its severity – "bad, but not the worst" – the issue affects more technologies than Rust alone.

Erlang, Go, Python, and Ruby are also affected and have updated their respective documentation pages to raise awareness of the issue.

Node.js and PHP are both working on patches now, while Rust and Haskell both have their fixes pushed out already. Java is affected but its team has no plans to address it, according to the researcher's report.

RyotaK also made the point that users should not jump to conclusions based on the CVSS rating alone, since the severity of the issue will depend on each application individually and should be recalculated as such. ®