A critical security vulnerability, dubbed "BatBadBut," has been discovered in the Rust standard library, affecting all versions before 1.77.2 on Windows. The vulnerability, identified as CVE-2024-24576, has a CVSS score of 10.0 and allows an attacker to execute arbitrary shell commands by bypassing the escaping mechanism when invoking batch files with the Command API.
The "BatBadBut" vulnerability was discovered by security researcher RyotaK and responsibly disclosed to the Rust Security team.
According to RyotaK's blog post, the issue arises from the complex parsing rules of cmd.exe, the command prompt on Windows, which is implicitly spawned when executing batch files. The Rust standard library failed to properly escape command arguments for cmd.exe, allowing for potential command injection.
While the Command::arg and Command::args APIs in Rust guarantee that arguments will be passed to the spawned process as-is and will not be evaluated by a shell, the implementation on Windows is more complex.
The Windows API only provides a single string containing all the arguments, leaving the spawned process responsible for splitting them. Most programs use the standard C run-time argv, resulting in a consistent argument splitting behavior. However, cmd.exe has its own argument splitting logic, requiring custom escaping by the Rust standard library.
To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable. - RyotaK noted on the blog post.
In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.
The Rust Security team acknowledged that the existing escaping logic in the standard library was insufficient, making it possible for malicious arguments to bypass the escaping and lead to arbitrary shell execution. The severity of the "BatBadBut" vulnerability is considered critical if untrusted arguments are passed when invoking batch files on Windows.
BatBatBut - Not one CVE ID
While the initial focus was on the Rust programming language, it has come to light that the "BatBadBut" vulnerability extends beyond a single CVE identifier. The vulnerability affects multiple programming languages and tools, each assigned a different CVE ID based on the specific implementation and impact.
In addition to CVE-2024-24576, which pertains to the Rust standard library, "BatBadBut" also encompasses CVE-2024-1874, CVE-2024-22423 (affecting yt-dlp with a high risk score of 8.3), and CVE-2024-3566 (impacting Haskell, Node.js, Rust, PHP, and yt-dlp). This highlights the widespread nature of the vulnerability and the need for developers to assess their applications and dependencies across various programming languages and tools.
BatBadBut is not limited to a single CVE ID
| Product | CVE-2024-24576 | CVE-2024-3566 | CVE-2024-1874 | CVE-2024-22423 | Ref. | Vendor Statement |
|---|---|---|---|---|---|---|
| Haskell Programming Language |
Unknown |
Affected |
Unknown |
Unknown |
Link |
The Haskell process library is affected. We assigned HSEC-2024-0003 for this issue. A fix was released in process-1.6.19.0. |
| Node.js | Unknown |
Affected |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Rust | Affected |
Affected |
Not Affected |
Not Affected |
Link |
Rust is affected by this, and we issued CVE-2024-24576 to track the issue. Rust 1.77.2 fixes the vulnerability, and we recommend affected users to recompile their programs with the new compiler version. |
| PHP | Unknown |
Affected |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Yt-dlp | Not Affected |
Affected |
Not Affected |
Affected |
Link |
yt-dlp is affected and |
| Go Programming Language |
Unknown |
Not Affected |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| RedHat | Not Affected |
Not Affected |
Not Affected |
Not Affected |
N/A | No Statement received from the vendor. |
| Erlang Programming Language |
Unknown |
Unknown |
Unknown |
Unknown |
N/A | `erlang:open_port/1,2` with the `spawn` and `spawn_executable` options are vulnerable and should not be used with untrusted input. |
| Dart Programming Language |
Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Microsoft | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| MySQL | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| MySQL2 | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Oracle Corporation | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Perl Developers | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| PostgreSQL | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Python | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| R Programming Language |
Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| Ruby | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
| SQLite | Unknown |
Unknown |
Unknown |
Unknown |
N/A | No Statement received from the vendor. |
Mitigation
To address the "BatBadBut" vulnerability, the Rust team has released version 1.77.2, which includes a fix for the issue. The fix improves the robustness of the escaping code and modifies the Command API to return an InvalidInput error when it cannot safely escape an argument. This error will be emitted when spawning the process.
For developers who implement their own escaping or only handle trusted inputs on Windows, the CommandExt::raw_arg method can be used to bypass the standard library's escaping logic.
It is important to note that the vulnerability only affects Rust code running on Windows that executes batch files with untrusted arguments. Other platforms or uses on Windows are not impacted.
The Rust community has expressed gratitude to RyotaK for responsibly disclosing the vulnerability, Simon Sawicki (Grub4K) for identifying some of the adopted escaping rules, and the members of the Rust project who assisted in developing the fix, reviewing it, and coordinating the disclosure process.
Developers using Rust on Windows are strongly advised to update to version 1.77.2 as soon as possible to mitigate the risk of potential command injection attacks. It is crucial to ensure that untrusted input is properly validated and sanitized before being passed as arguments to batch files.