A significant security loophole within the Rust standard library has emerged, posing a threat specifically to Windows users by enabling potential command injection attacks. Designated as CVE-2024-24576 and carrying a maximum severity score of 10.0 according to the Common Vulnerability Scoring System (CVSS), this vulnerability is significant. However, it’s worth noting that it solely affects situations where batch files are called upon in Windows environments with untrusted arguments.
The Rust Security Response working group, in an advisory issued on April 9, 2024, highlighted that the flaw arises from inadequacies in the Rust standard library’s handling of arguments when initiating batch files (bearing the .bat and .cmd extensions) on Windows via the Command API. Essentially, the flaw permits attackers to execute arbitrary shell commands by circumventing the established escaping mechanisms.
This vulnerability affects all Rust versions preceding 1.77.2 and was initially discovered and reported by security researcher RyotaK to the CERT Coordination Center (CERT/CC). RyotaK, who named the vulnerability “BatBadBut,” emphasized that it impacts multiple programming languages and stems from the manner in which these languages utilize the CreateProcess function in Windows while incorporating escape mechanisms for command arguments.
According to CERT/CC, the vulnerability underscores a broader issue wherein programming languages lack r
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: