Rust standard library is vulnerable to a critical severity flaw that can be exploited on Windows targets. Tracked as CVE-2024-24576, the vulnerability has been given a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on a targeted Windows system. The vulnerability is being called BatBadBut.
Rust’s standard library, or std, is the foundation of portable Rust software. It includes shared abstractions like core types, library-defined operations, standard macros, I/O, multithreading, containers, and collections. The standard library also includes primitive types like arrays and slices and more complex data structures like vectors, hash maps, linked lists, and trees.
Vulnerability Details
The vulnerability originates from improper escape arguments in the Rust library when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker controlling the arguments passed to the spawned process may execute arbitrary shell commands by bypassing the escaping.
The Command::arg and Command::args are the APIs that are safe to pass untrusted inputs. These APIs do not pass arguments processed by a shell and will be sent to the spawning process as they are, regardless of their value.
Implementing this is more complicated on Windows than on other platforms because the Windows API only gives the spawned process a single string containing all the arguments; the spawned process is responsible for splitting them. Because most programs use the standard C run-time argv, arguments are separated reasonably uniformly.
Cmd.exe is an exceptional API because it has its argument-splitting logic. The logic forces the standard library to implement custom escaping for arguments passed to batch files.
In the case of the Rust standard library, the escaping logic was not thorough enough. It may pass malicious arguments that would result in arbitrary shell execution.
Affected Versions
The vulnerability affects all Rust versions before 1.77.2 on Windows.
Mitigation
Customers must upgrade to Rust 1.77.2 to patch the vulnerability.
Please refer to the Rust Security Response for more information.
Qualys Detection
Qualys customers can scan their devices with QID 379598 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html