Rust Fixes Critical Command Injection Flaw in std Library for Windows 10/11

Rust Fixes Critical Command Injection Flaw in std Library for Windows 10/11

Rust Fixes Critical Command Injection Flaw in std Library for Windows 10/11Author | Connor Jones
Translator | Zhang Weibin
Editor | Ding Xiaoyun

This article was originally published on The Register and translated by InfoQ Chinese Station.

Rust security experts have resolved a critical vulnerability that could lead to malicious command injection on Windows machines, advising programmers to upgrade their Rust versions.

The vulnerability has a CVSS severity score of 10 (the maximum score is 10) and is tracked under CVE-2024-24576. It affects the Rust standard library, specifically the std::process::Command API when calling batch files on Windows, which improperly escapes parameters.

Pietro Albini from the Rust Security Response Working Group stated, “If an attacker can control the parameters passed to the generated process, they can bypass escaping and execute arbitrary shell commands.” He was responsible for drafting the security notice.

Researchers from Tokyo’s Flatt Security, who reported the issue, indicated that the main problem seems to stem from Windows’ cmd.exe program, which has more complex parsing rules that are necessary for executing batch files.

Albini noted that the Windows command prompt has its own parameter splitting logic, which differs from the standard library’s regular Command::arg and Command::args APIs that typically allow for safe passing of untrusted input to the generated process.

He explained, “On Windows, this implementation is more complex than on other platforms because the Windows API only provides a single string containing all parameters to the generated process, and it is the responsibility of the generated process to split these parameters.” Most programmers use the standard C runtime’s argv, which generally splits parameters in a consistent manner.

“Unfortunately, it has been reported that our escaping logic is incomplete, potentially allowing malicious parameters to be passed, leading to arbitrary shell execution.”

Chris Denton, a contributor to the Rust std library, developed a fix for this issue, which includes improvements to the escaping code and ensures that the Command API returns an InvalidInput error when it cannot safely escape parameters.

Albini mentioned that due to the complexity of the Microsoft command prompt, the team could not determine a fix that would safely escape parameters in every case.

“If you implement escaping yourself or only handle trusted input, you can also use the CommandExt::raw_arg method on Windows to bypass the standard library’s escaping logic.”

Rust released version 1.77.2 on April 9, stating that all previous versions are affected by this security vulnerability.

The language has garnered a loyal following, often ranking highly on Stack Overflow, as developers find using Rust in their work very enjoyable. Google employees have also praised its productivity advantages. It is one of the newer memory-safe languages encouraged by national security agencies to replace older technologies like C and C++.

BatBadBut

RyotaK is the researcher who reported the vulnerability, which he named BatBadBut, a term derived from the vulnerability’s relation to batch processing and its severity, meaning “serious but not the worst,” indicating that the issue affects more than just the Rust technology itself.

Erlang, Go, Python, and Ruby have also been affected, and they have updated their respective documentation pages to raise awareness of this issue.

Node.js and PHP are currently writing patches, while Rust and Haskell have already released fixes. According to the researcher’s report, Java is also affected, but its team has no plans to address the issue.

RyotaK also pointed out that users should not rely solely on CVSS ratings to draw conclusions, as the severity of the issue will depend on each application and should be reassessed based on specific circumstances.

Disclaimer: This article is a translation by InfoQ and may not be reproduced without permission.

Recommended Articles Today

Germany Embraces Linux Again: Thousands of Systems Migrating from Windows, Can They Avoid the “Pitfalls” of Twenty Years Ago?

Google’s Mass Layoffs Spark Collective Protests from Veterans: Leadership Lacks Insight, Inept Middle Management Continues to Expand

System Bug Leads to Hundreds Imprisoned, 280 Million Yuan Lost, Yet Cloud Migration Fails! For Twenty Years, This Large Enterprise Has Been Troubled by Japanese Software

A Linux Community Bans Large Model Code! “Shit” Appeared Seven Times in a Short Essay, Netizens: This Move is Very Wise!

Related posts

  1. C++ Default Parameters vs Function Overloading: How to Choose?
  2. C++ Static Assertions: Enhancing Code Robustness with static_assert
  3. Understanding noexcept in C++: Performance Optimization or Hidden Trap?
  4. C++ std::future and std::promise: A New Way of Asynchronous Operations
  5. Operating System in C: Device Drivers
  6. Troubleshooting EDP Display Connection Issues with modetest -M rockchip
  7. Understanding Rust’s Smart Pointers: Box, Rc, and RefCell
  8. C++ std::async and std::future: Simplifying Asynchronous Programming!
  9. Inheritance in C++: Public, Private, Protected, and Inheritance Hierarchy
  10. BOE TV Fix: Adjusting Bus for Gray Screen Issues
  11. Why Rust Is The Genshin Impact Of Programming Languages
  12. Viewing Remote Login User Status in Linux
  13. C++ Exception Handling: Tips for Optimizing RAII and Resource Management
  14. C++ Practice Today with RoboCode
  15. The Myth of Rust Being Difficult to Learn
  16. Understanding Memory Management in Rust: Ownership, Borrowing, and Lifetimes
  17. Switching from C++ to Rust: A Significant Improvement in Work Experience!
  18. Detailed Analysis of ModbusTCP Protocol Messages
  19. Advantages of Running RTOS on MCU Compared to Bare Metal

Leave a Comment