CVE-2024-24576
Rust Standard Library Batch File Argument Injection Vulnerability
Description
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
INFO
Published Date :
April 9, 2024, 6:15 p.m.
Last Modified :
May 1, 2024, 6:15 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
6.0
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2024-24576 has a 15 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-24576.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
PoC for CVE-2024-24576 vulnerability "BatBadBut"
Python Batchfile
None
Batchfile Rust
a python proof of concept for cve-2024-24576
Batchfile Python
investigating the BatBadBut vulnerability,
C#
Simple CVE-2024-24576 PoC in Julia
Julia Batchfile
https://nvd.nist.gov/vuln/detail/CVE-2024-24576
Python Batchfile
None
Python
This is a simple demo for the BadBatBut vulnerability CVE-2024-24576
Rust Batchfile
CVE-2024-24576 PoC for Nim Lang
Nim Batchfile
None
Batchfile Rust
CVE-2024-24576 Proof of Concept
1-day exploit rust security
Rust Batchfile Python Go
None
Python Batchfile Go Ruby
Example of CVE-2024-24576 use case.
Rust Batchfile
Architecture Weekly - links and resources to boost your knowledge and developer skills
architecture software-engineering newsletter
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-24576 vulnerability anywhere in the article.
-
New Jetpack Site
Vulnerabilità di Commad Injection in Rust
04/11/2024 PROTO: N240411 CERT-Yoroi informa che è stata resa nota una vulnerabilità critica sul linguaggio di programmazione Rust. Tale vulnerabilità, pubblicata all’interno del security advisory e n ... Read more
The following table lists the changes that have been made to the
CVE-2024-24576 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
May. 01, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. http://www.openwall.com/lists/oss-security/2024/04/09/16 [No types assigned] -
CVE Modified by [email protected]
Apr. 19, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/ [No types assigned] -
CVE Modified by [email protected]
Apr. 19, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/ [No types assigned] -
CVE Modified by [email protected]
Apr. 12, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/ [No types assigned] -
CVE Modified by [email protected]
Apr. 11, 2024
Action Type Old Value New Value Changed Description Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an [`InvalidInput`][4] error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic. Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic. Removed Reference GitHub, Inc. https://www.kb.cert.org/vuls/id/123335 -
CVE Modified by [email protected]
Apr. 10, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://www.kb.cert.org/vuls/id/123335 [No types assigned] -
CVE Received by [email protected]
Apr. 09, 2024
Action Type Old Value New Value Added Description Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an [`InvalidInput`][4] error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic. Added Reference GitHub, Inc. https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh [No types assigned] Added Reference GitHub, Inc. https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput [No types assigned] Added Reference GitHub, Inc. https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg [No types assigned] Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html [No types assigned] Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html#method.arg [No types assigned] Added Reference GitHub, Inc. https://doc.rust-lang.org/std/process/struct.Command.html#method.args [No types assigned] Added Reference GitHub, Inc. https://github.com/rust-lang/rust/issues [No types assigned] Added Reference GitHub, Inc. https://www.rust-lang.org/policies/security [No types assigned] Added CWE GitHub, Inc. CWE-78 Added CWE GitHub, Inc. CWE-88 Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-24576 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-24576
weaknesses.