10.0
CRITICAL
CVE-2024-24576
Rust Standard Library Batch File Argument Injection Vulnerability
Description

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.

INFO

Published Date :

April 9, 2024, 6:15 p.m.

Last Modified :

Nov. 21, 2024, 8:59 a.m.

Remotely Exploitable :

Yes !

Impact Score :

6.0

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-24576 has a 15 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-24576 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Rust-lang rust
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-24576.

URL Resource
http://www.openwall.com/lists/oss-security/2024/04/09/16
https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput
https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg
https://doc.rust-lang.org/std/process/struct.Command.html
https://doc.rust-lang.org/std/process/struct.Command.html#method.arg
https://doc.rust-lang.org/std/process/struct.Command.html#method.args
https://github.com/rust-lang/rust/issues
https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
https://lists.fedoraproject.org/archives/list/[email protected]/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/
https://lists.fedoraproject.org/archives/list/[email protected]/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/
https://lists.fedoraproject.org/archives/list/[email protected]/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/
https://www.rust-lang.org/policies/security
http://www.openwall.com/lists/oss-security/2024/04/09/16
https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput
https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg
https://doc.rust-lang.org/std/process/struct.Command.html
https://doc.rust-lang.org/std/process/struct.Command.html#method.arg
https://doc.rust-lang.org/std/process/struct.Command.html#method.args
https://github.com/rust-lang/rust/issues
https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
https://lists.fedoraproject.org/archives/list/[email protected]/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/
https://lists.fedoraproject.org/archives/list/[email protected]/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/
https://lists.fedoraproject.org/archives/list/[email protected]/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/
https://www.rust-lang.org/policies/security

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

PoC for CVE-2024-24576 vulnerability "BatBadBut"

Python Batchfile

Updated: 8 months ago
0 stars 0 fork 0 watcher
Born at : April 21, 2024, 1:42 p.m. This repo has been linked 1 different CVEs too.

None

Batchfile Rust

Updated: 8 months ago
0 stars 0 fork 0 watcher
Born at : April 20, 2024, 6:54 p.m. This repo has been linked 1 different CVEs too.

a python proof of concept for cve-2024-24576

Batchfile Python

Updated: 8 months ago
1 stars 0 fork 0 watcher
Born at : April 20, 2024, 1:07 p.m. This repo has been linked 1 different CVEs too.

investigating the BatBadBut vulnerability,

C#

Updated: 8 months ago
0 stars 0 fork 0 watcher
Born at : April 17, 2024, 4:07 p.m. This repo has been linked 4 different CVEs too.

Simple CVE-2024-24576 PoC in Julia

Julia Batchfile

Updated: 8 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : April 14, 2024, 5 a.m. This repo has been linked 1 different CVEs too.

https://nvd.nist.gov/vuln/detail/CVE-2024-24576

Python Batchfile

Updated: 5 months, 1 week ago
2 stars 0 fork 0 watcher
Born at : April 14, 2024, 2:10 a.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 8 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 14, 2024, 12:35 a.m. This repo has been linked 1 different CVEs too.

This is a simple demo for the BadBatBut vulnerability CVE-2024-24576

Rust Batchfile

Updated: 7 months, 3 weeks ago
4 stars 0 fork 0 watcher
Born at : April 12, 2024, 11:36 p.m. This repo has been linked 1 different CVEs too.

CVE-2024-24576 PoC for Nim Lang

Nim Batchfile

Updated: 4 months, 2 weeks ago
1 stars 0 fork 0 watcher
Born at : April 11, 2024, 10:22 a.m. This repo has been linked 1 different CVEs too.

None

Batchfile Rust

Updated: 8 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 11, 2024, 2:26 a.m. This repo has been linked 1 different CVEs too.

CVE-2024-24576 Proof of Concept

1-day exploit rust security

Rust Batchfile Python Go

Updated: 1 month ago
19 stars 4 fork 4 watcher
Born at : April 10, 2024, 2:06 p.m. This repo has been linked 1 different CVEs too.

None

Python Batchfile Go Ruby

Updated: 1 month ago
8 stars 2 fork 2 watcher
Born at : April 10, 2024, 10:27 a.m. This repo has been linked 2 different CVEs too.

Example of CVE-2024-24576 use case.

Rust Batchfile

Updated: 1 month ago
56 stars 10 fork 10 watcher
Born at : April 9, 2024, 9:17 p.m. This repo has been linked 1 different CVEs too.

Architecture Weekly - links and resources to boost your knowledge and developer skills

architecture software-engineering newsletter

Updated: 2 weeks, 3 days ago
1419 stars 97 fork 97 watcher
Born at : Dec. 7, 2020, 9:30 a.m. This repo has been linked 2 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 2 weeks, 2 days ago
6566 stars 1140 fork 1140 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 958 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-24576 vulnerability anywhere in the article.

  • New Jetpack Site
Vulnerabilità di Commad Injection in Rust

04/11/2024 PROTO: N240411 CERT-Yoroi informa che è stata resa nota una vulnerabilità critica sul linguaggio di programmazione Rust. Tale vulnerabilità, pubblicata all’interno del security advisory e n ... Read more

Published Date: Apr 11, 2024 (8 months, 1 week ago)

The following table lists the changes that have been made to the CVE-2024-24576 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/04/09/16
    Added Reference https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput
    Added Reference https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg
    Added Reference https://doc.rust-lang.org/std/process/struct.Command.html
    Added Reference https://doc.rust-lang.org/std/process/struct.Command.html#method.arg
    Added Reference https://doc.rust-lang.org/std/process/struct.Command.html#method.args
    Added Reference https://github.com/rust-lang/rust/issues
    Added Reference https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
    Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/
    Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/
    Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/
    Added Reference https://www.rust-lang.org/policies/security
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    May. 01, 2024

    Action Type Old Value New Value
    Added Reference GitHub, Inc. http://www.openwall.com/lists/oss-security/2024/04/09/16 [No types assigned]
  • CVE Modified by [email protected]

    Apr. 19, 2024

    Action Type Old Value New Value
    Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/ [No types assigned]
  • CVE Modified by [email protected]

    Apr. 19, 2024

    Action Type Old Value New Value
    Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/ [No types assigned]
  • CVE Modified by [email protected]

    Apr. 12, 2024

    Action Type Old Value New Value
    Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/ [No types assigned]
  • CVE Modified by [email protected]

    Apr. 11, 2024

    Action Type Old Value New Value
    Changed Description Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an [`InvalidInput`][4] error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic. Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
    Removed Reference GitHub, Inc. https://www.kb.cert.org/vuls/id/123335
  • CVE Modified by [email protected]

    Apr. 10, 2024

    Action Type Old Value New Value
    Added Reference GitHub, Inc. https://www.kb.cert.org/vuls/id/123335 [No types assigned]
  • CVE Received by [email protected]

    Apr. 09, 2024

    Action Type Old Value New Value
    Added Description Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an [`InvalidInput`][4] error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
    Added Reference GitHub, Inc. https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh [No types assigned]
    Added Reference GitHub, Inc. https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput [No types assigned]
    Added Reference GitHub, Inc. https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg [No types assigned]
    Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html [No types assigned]
    Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html#method.arg [No types assigned]
    Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html#method.args [No types assigned]
    Added Reference GitHub, Inc. https://github.com/rust-lang/rust/issues [No types assigned]
    Added Reference GitHub, Inc. https://www.rust-lang.org/policies/security [No types assigned]
    Added CWE GitHub, Inc. CWE-78
    Added CWE GitHub, Inc. CWE-88
    Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability