Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.

The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory released on April 9, 2024.

“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”

The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).

RyotaK said the vulnerability – codenamed BatBadBut – impacts several programming languages and that it arises when the “programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments.”

The vulnerability, per CERT/CC, is the result of programming languages lacking adequate validation mechanisms when invoking commands within a Microsoft Windows environment, thereby permitting attackers to execute arbitrary code that’s disguised as arguments to the command.

“The complete impact of this vulnerability depends on the implementation that uses a vulnerable programming language or such a vulnerable module,” it added.

But in light of the fact that not every programming language has addressed the problem, developers are being recommended to exercise caution when executing commands on Windows.

“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a word of advice to users.

“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”

Update

Patches have also been released by maintainers of Haskell, Node.js, PHP, and yt-dlp to address the command injection bug -

• CVE-2024-3566 (CVSS score: N/A) - Haskell
• CVE-2024-27980 (CVSS score: N/A) - Node.js
• CVE-2024-1874 (CVSS score: 9.4) - PHP
• CVE-2024-22423 (CVSS score: 8.4) - yt-dlp

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.