Tech News

Critical Rust flaw enables Windows command injection attacks

By admin 2 Min Read

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.

Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.

GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction.

“The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said.

“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”

All Rust versions before 1.77.2 on Windows are affected if a program’s code or one of its dependencies invokes and executes batch files with untrusted arguments.

Rust CVE-2024-24576 tweet

​The Rust security team faced a significant challenge when dealing with cmd.exe’s complexity since they couldn’t find a solution that would correctly escape arguments in all cases. 

As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.

“If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library’s escaping logic,” the Rust Security Response WG added.

In February, the White House Office of the National Cyber Director (ONCD) urged technology companies to adopt memory-safe programming languages like Rust. The end goal is to improve software security by minimizing the number of memory safety vulnerabilities.

You Might Also Like

Anthropic sets sights on small business after enterprise push

Sony Xperia 1 VIII AI Camera Assistant Internet Outrage

How to Control Everything on Your Phone With Your Voice (iOS and Android)

Critical Nginx UI auth bypass flaw now actively exploited in the wild

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

TAGGED: , , , , ,
Share This Article
Previous Article Gwen Stefani Admits Feeling ‘Paranoid’ About Past ‘Insecurities’ Over Blake Shelton Relationship
Next Article Pop Music Is Mad. Social Media Loves It
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

Anthropic sets sights on small business after enterprise push
Tech News
Commerzbank axes 3,000 jobs in an attempt to fight off UniCredit takeover bid
Business
AI poised to tilt job market leverage toward older workers
Business
STRC preferred stock investors are mispricing major 'dislocation' risk: Analyst
Crypto
China's marriages drop to decade low, deepening demographic concerns
Business
US law firm files motion requesting redistribution of $344M USDt linked to Iran
Crypto
London police out in force as tens of thousands attend rival rallies
World News
Lost your password?