A command injection flaw was found in Rust, exclusive to Windows environments. When invoking batch files on Windows using the Command API, Rust explicitly uses cmd.exe which has complicated parsing rules for arguments. If an attacker can control part of the command arguments of the batch file, this could bypass the argument escaping and inject arbitrary shell commands.
An overview of the vulnerability
This issue arises when invoking batch files (with .bat and .cmd extensions) on Windows using the Command API. Specifically, the standard library failed to properly escape arguments, potentially allowing an attacker to execute arbitrary shell commands by bypassing the escaping mechanism.
This vulnerability is identified as CVE-2024-24576 and is considered critical when handling untrusted arguments for batch files on Windows. Fortunately, no other platforms or use cases are affected by this issue.
The Command::arg and Command::args APIs are designed to pass arguments to spawned processes as is, without shell evaluation. This design should ensure the safe handling of untrusted input.
However, implementing this functionality on Windows is more complex due to how the Windows API handles arguments. Windows provides a single string containing all arguments, leaving it to the spawned process to split them. Most programs use the standard C run-time argv, leading to a generally consistent argument-splitting process.
An exception to this is cmd.exe, which executes batch files and has its own argument-splitting logic. This unique handling forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately, the escaping logic in Rust was insufficient, allowing malicious arguments to lead to arbitrary shell execution.
Mitigations
Given the complexity of cmd.exe, a universal solution to correctly escape arguments in all cases was not identified. To address this, the Rust team enhanced the robustness of the escaping code and modified the Command API to return an InvalidInput error when an argument cannot be safely escaped. This error will be triggered when attempting to spawn the process. Now, with this approach, the new escaping logic for batch files errs on the conservative side and could reject valid arguments which could now be a problem.
The fix is included in Rust 1.77. For developers who implement their own escaping or only handle trusted inputs, it is possible to use the CommandExt::raw_arg method on Windows to bypass the standard library’s escaping logic.
All Rust versions prior to 1.77.2 are affected if the code or its dependencies execute batch files with untrusted arguments on Windows. Other platforms and use cases on Windows are not impacted.
Armur: Enhancing Security For Developers
To ensure that your code is not prone to any kind of vulnerabilities, it’s good practice to conduct a code security review and Armur has one of the most trusted developer security toolkits, powered by AI and LLMs.
To stay updated with the latest security discussions, you can join our discord server where we share valuable insights and learning resources such as SecOps, DevSec and Red Teaming. Additionally, you can try out Armur and get free 100 credits.
