A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.
Vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating the highest severity. That said, it only affects scenarios where batch files are invoked on Windows with untrusted arguments.
“The Rust Standard Library did not correctly avoid arguments when calling batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory published on April 9, 2024.
“An attacker with the ability to control the arguments passed to the spawned process could execute arbitrary shell commands bypassing the escape.”
The flaw affects all Rust versions prior to 1.77.2. Security researcher RyotaK was credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).
RyotaK said the vulnerability – codenamed BatBadBut – affects several programming languages and occurs when the “programming language wraps the CreateProcess function [in Windows] and adds escape mechanism for command arguments.”
But in light of the fact that not all programming languages have solved the problem, developers are advised to be careful when executing commands on Windows.
“To prevent unexpected execution of batch files, you should consider moving batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a tip to users.
“In this case, batch files will not run unless the full path is specified, so you can prevent batch files from running unexpectedly.”