The Rust programming language has a standard library on Windows that gives attackers a way to execute shell commands.
Rated critical in an advisory on GitHub, the vulnerability affects the Rust standard library in version 1.77.1 and earlier.
The bug is fixed in version 1.77.2.
The technical explanation is that CVE-2024-24576 is an operating system command injection and argument injection vulnerability that happens because the library doesn’t “properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`,” the advisory explains.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”
The problem is the complexity of using Command::arg and Command::args in the Windows API, which provides a single string containing all the arguments to spawned processes, which have the job of splitting the string.
On non-Windows platforms this isn’t a problem.
However, Windows’s ‘cmd.exe’ has its own argument splitting logic, so if the Rust program calls it (for example to execute batch files), the standard library needs to implement custom escaping for arguments passed to batch files.
“Unfortunately, it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution,” the advisory stated.