Recent CVE-2024-24576 vulnerability on Rust could help run unauthorized commands

Interestingly, Microsoft integrates Rust into MS365's Substrate App Platform a little while ago

Reading time icon 2 min. read

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Rust found a critical security flaw, allowing unauthorized shell commands, fixed in version 1.77.2.
  • Due to complexities with cmd.exe, foolproof argument escaping was challenging.
  • Upgraded Command API and introduced CommandExt::raw_arg for Windows users.

Rust, the popular programming language, has just recently announced that it’s detected a security flaw in the standard library that could allow attackers to execute unauthorized shell commands. 

The vulnerability, flagged as CVE-2024-24576, will be gone in Rust version 1.77.2, as announced.

“The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected,” the announcement reads.

The Rust team explained that, since cmd.exe is complicated on Windows because of how arguments are handled especially with batch files, they couldn’t find a foolproof way to escape arguments in all situations.

“Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted,” the team adds.

To maintain reliability, they upgraded the escaping code and made the Command API issue an InvalidInput error if it can’t safely escape an argument, which occurs when launching the process.

If you’re handling trusted inputs or want to do your own escaping, there’s an alternative method called CommandExt::raw_arg on Windows that you can try.  

Interestingly, Microsoft has been working to adopt Rust. A little while ago, we reported that the Redmond company is adopting the language into MS365’s Substrate App Platform, hiring new people to join a new team for this.