Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases
Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but researchers found ways to circumvent the protections.
April 11, 2024
The Rust Project has issued an update for its standard library, after a vulnerability researcher discovered a specific function used to execute batch files on Windows systems could be exploited using an injection flaw.
The set of common functions included with Rust programming language, known as the standard library, offers the ability — among its many other capabilities — to execute Windows batch files through the Command API. The function, however, did not process the inputs to the API rigorously enough to eliminate the possibility of injecting code into the execution, according to a Rust Security Response Working Group advisory published April 9.
While Rust is well known for its memory-safety features, the incident underscores that the programming language is not proof against logic bugs, says Yair Mizrahi, a senior vulnerability researcher at application-security firm JFrog.
"Overall, Rust's memory safety is a notable advantage, but developers must also pay close attention to the potential for logical bugs to ensure the overall security and reliability of their Rust-based applications," he says. "To address such logical issues, Rust encourages a rigorous testing and code review process, as well as the use of static analysis tools to identify and mitigate logical bugs."
Rust has gained a reputation for being a very secure programming language, because it does not leave applications open to the often-severe class of flaws known as memory-safety vulnerabilities. Google has attributed a drop in memory-unsafe code to the shift to memory-safe languages, such as Rust and Kotlin, while Microsoft found that up until 2018, when it shifted to memory-safe language, such vulnerabilities regularly accounted for 70% of all security issues.
Windows Poses a Batch of Issues
The latest issue is not a memory-safety vulnerability, but a problem with the logic used to process untrusted input. Part of Rust's standard library allows the developer to call a function to send a batch file to the Windows machine for processing. There are reasons for submitting code to the host as a batch file, says Joel Marcey, director of technology at Rust Foundation, which supports the programming language's maintainers and the Rust ecosystem.
"Batch files are run for many reasons on systems, and Rust provides an API to allow you to execute those fairly easily," he says. "So while this is not necessarily the most common use case for Rust, the API, before the fixed patch was implemented, allowed for malicious actors to theoretically take over your system by running arbitrary commands, and this is definitely a critical vulnerability."
Typically, a developer can forward a workload to the Windows host to be executed as a batch process through the Command applications programming interface (API), part of the standard library. Typically, Rust guarantees the safety of any call to the Command API, but in this case, the Rust Project could not find a way to prevent the execution of all arguments, primarily because Windows does not adhere to any sort of standard, and that the API could allow an attacker to submit code that would then be executed.
"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution," according to the Rust Security Response WG.
Rust Project Proves Responsive
While dealing with any vulnerability can be a headache, the Rust Project has shown that the group quickly resolves issues, say experts. The standard library vulnerability, CVE-2024-24576, is ultimately an issue with the Windows batch-processing problem and affects other programming languages, if they do not adequately parse the arguments sent to the Windows batch process. The Rust Project appears to be the first out the door with a fix for passing arguments to the Windows CMD.exe process, says JFrog's Mizrahi.
The groups could not completely eliminate the issue, but the Command API will not return an error when any augments passed to the function could be unsafe, the Rust Project said.
JFrog's Mizrahi urges Rust to broaden its use of static application security testing and expand the use of fuzzing and dynamic testing.
"Overall, Rust is on the right track by emphasizing memory safety and encouraging rigorous testing practices," he says. "Combining these efforts with continued advancements in static analysis and fuzzing can help the Rust community and the broader software industry make significant strides in addressing logical bugs and input validation flaws in the years to come."
About the Author
You May Also Like