Tech News

Critical Rust flaw enables Windows command injection attacks

By admin 2 Min Read

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.

Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.

GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction.

“The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said.

“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”

All Rust versions before 1.77.2 on Windows are affected if a program’s code or one of its dependencies invokes and executes batch files with untrusted arguments.

Rust CVE-2024-24576 tweet

​The Rust security team faced a significant challenge when dealing with cmd.exe’s complexity since they couldn’t find a solution that would correctly escape arguments in all cases. 

As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.

“If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library’s escaping logic,” the Rust Security Response WG added.

In February, the White House Office of the National Cyber Director (ONCD) urged technology companies to adopt memory-safe programming languages like Rust. The end goal is to improve software security by minimizing the number of memory safety vulnerabilities.

You Might Also Like

Apple AI Pin Specs Leak: Dual Cameras, No Screen & More

The diverse responsibilities of a principal software engineer

OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters

Google’s Fitbit Tease has me More Excited for Garmin’s Whoop Rival

Why the TCL NXTPAPER 14 Is One of the Best Tablets for Musicians and Sheet Music Reading

TAGGED: , , , , ,
Share This Article
Previous Article Gwen Stefani Admits Feeling ‘Paranoid’ About Past ‘Insecurities’ Over Blake Shelton Relationship
Next Article Pop Music Is Mad. Social Media Loves It
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

JPMorgan CEO Jamie Dimon says he’s ‘learned and relearned’ to not make big decisions when he’s tired on Fridays
Business
Apple AI Pin Specs Leak: Dual Cameras, No Screen & More
Tech News
A ‘glass-like’ battlefield: German Army chief on the future of warfare
World News
Polymarket Sees Record $153M Daily Volume After Chainlink Integration
Crypto
Natasha Lyonne Then & Now: See Before & After Photos of the Actress Here
Celebrity
Cult Hit Doki Doki Literature Club Fights Removal From Google Play Store Over ‘Depiction Of Sensitive Themes’
Gaming News
Dead as Disco Launches Into Early Access on May 5th, Groovy New Gameplay Released
Gaming News
Lost your password?