 Some of you may have seen headlines like this recently on the tech news sites saying that a critical flaw was found in Rust that allows you to do command injection attacks on Windows machines. And we have this nice little CVE here that's still pending a score from NIST as of April 13th, 2024, but GitHub and other places have rated this a 10 out of 10 critical bug. So to put that in perspective, this vulnerability here is rated just as severely as the XZ vulnerability that basically backdoor the SSH process for most of the Linux servers out there on the internet and probably involved a three letter agency or similar organization that has the resources to infiltrate the development of a compression library for years and years and become one of the main developers of that library before commit making some malicious commits to it. Log4j another vulnerability that could let you hack into most machines out there on the internet because it was so ubiquitous was also rated a 10 out of 10. So now you get the picture of vulnerabilities, you know, that allow a threat actor to easily take over lots of machines connected to the internet. Those are the kinds of ones that generate that 10 out of 10 base score because massive botnets are about as bad as things can get. But this vulnerability here is a little bit different. So if we read the description, it tells us rust as a programming language. The rust security response workgroup was notified that the rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files with the bat and CMD extensions on windows using the command. An attacker able to control the arguments that are passed to the spawn process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on windows with untrusted arguments. No other platform or use is affected. So basically if there's some rust code that's running on a windows PC that might end up interacting with some bat files and it's able to receive some kind of user input then that user could get arbitrary remote code execution on the machine. But how many programs do you think are out there like that on the internet in the first place? I mean you could probably count them on your fingers and toes because this whole bit here is just a really weird thing to do in the first place. But in lieu of any real programs that we can try to break we have a proof of concept that we can play around with to demonstrate the issue. So this was written by Frostbitten on GitHub and as you can see here it's just some very basic rust code that just takes some user input and then passes it into a bat file here and then that's going to get echoed out into the terminal. So if I test it out, cargo run, enter the payload here I'm just going to put test and then you can see that string I entered test is getting echoed out from this bat command, that bat file. But if I were to do it again and type let's do hello instead and then escape that with a double quote, put a and sign or ampersand and then enter into command like who am I? Well as you can see it actually executed that command, the who am I command. So you can imagine like if this was some kind of web application obviously you wouldn't be interacting with it through a terminal but you might be able to do this escape in like a web form or like the URL bar or anything else like that and get the same kind of system information or you could also just execute other programs. If I run it again, type hello and then escape that and mspaint.exe as you can see paint executed, right? It's because we can just execute anything we want. Oh man that's a real crooked L. You don't want that type of guy executing remote code on your machine. Now it's also worth noting that this bug is not something that you can just fix with some user input validation on the command that's being called because the escaping is actually happening on the call that's being made to the batch file. It's not just a matter of poor implementation on the developer's end. It's actually a vulnerability that requires an update which the Rust team has put out so if you're running Rust on Windows and you're doing this weird passing user input to batch files then you should definitely update and maybe reconsider your design patterns because like I've been saying this is just a very strange thing to do in the first place but the point here is that the problem is not with Rust. It's actually with the Windows command prompt cmd.exe like most Windows applications it's unnecessarily bloated and complex so some programming language runtimes fail to escape command arguments being sent to cmd.exe properly and Rust is not the only command or the only programming language that has this issue so as you can see here Erlang, Go, Haskell, Node.js, PHP like lots of different languages have this issue. Most of them have either updated their documentation to help developers avoid the bug or they just straight up patch the language so if you're running the latest version of Rust for example this bug is not going to work. Now Java in classic fashion has just said that they won't fix this bug and they're not going to update their documentation either and I can kind of feel that because like I've been saying this whole time the idea of taking user input and then just passing that to a batch script on the back end of a Windows machine is already pretty out there but I'll tell you what if there is an application out there that's doing this it's probably written in Java and it's probably written in an old version of Java at that but we do have some other examples of this bug in some other languages or they were written by Brains93, these other proofs of concept in Go and Python so this will just demonstrate that it isn't just a Rust issue so here we have I guess more or less doing the same thing in Go I mean I'm not as familiar with Go but just by looking at it you know I can kind of tell that you're taking user input passing it to the batch file so let's run this I think it's go run and name of the file enter my payload here so again if we just do test then everything works correctly but if I put in, well it doesn't matter what you put in as long as it's just a string then it's going to output the string but if we escape it put our and sign and then do calc.exe we can spawn the calculator right we can do hello and systeminfo.exe so again this is not something that you would want a random user to be able to run on your machine and see this kind of information we can do the same thing with Python as well so again it's just taking user input it's using the sub process these are basically different libraries that these languages are using to interact with things like the Windows command line basically the system tools right so you have this for Linux you have this for Mac and this is why you can do the same thing effectively on Linux it wouldn't be a batch script but it would be like a batch script or something like that and you don't get a problem right you could do the same thing on I think Macs also use bash maybe they use zsh but regardless this is just something that's really a problem with cmd.exe so we do it with Python and we enter hello and it just gives us argument receive hello we add in that extra double quote that and and we'll just do another calc boom it spawns a calculator for us arbitrary remote code execution or I guess in this case it's really just local code execution which maybe not that big of a deal right this is just how I shut down my computer guys right that's all this is and what does it shut down SFT 00 that's just my nifty little shutdown command so there you go right just to give you an example of something actually malicious that you could do you know just shut down somebody's PC remotely so as far as mitigating this problem goes if you're using Haskell, Node.js, PHP, Rust or whatever just update the language and you should be good but the real advice here is to stop passing remote user input to batch files like just saying that out loud passing remote user input to batch files on a Windows machine has the same energy as free basing cocaine to get your day started just because you can do it doesn't mean that you should do it but what you should do is check out my online store base.wim get yourself some great merch like the come and find a tee or the little daemon hoodie and pay in Monero XMR at checkout to save 10% automatically those are good ideas passing arbitrary user input to batch files not great ideas