Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <58856929-0ee4-435e-b0d6-97091ee10b43@app.fastmail.com>
Date: Wed, 04 Sep 2024 17:14:56 +0200
From: "Pietro Albini" <pietro@...troalbini.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-43402: Rust before 1.81.0 didn't fully fix argument escaping for
 batch files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On April 9th, 2024, the Rust Security Response WG disclosed [CVE-2024-24576][1],
where `std::process::Command` incorrectly escaped arguments when invoking batch
files on Windows. We were notified that our fix for the vulnerability was
incomplete, and it was possible to bypass the fix when the batch file name had
trailing whitespace or periods (which are ignored and stripped by Windows).

The severity of the incomplete fix is **low**, due to the niche conditions
needed to trigger it. Note that calculating the CVSS score might assign a
higher severity to this, but that doesn't take into account what is required to
trigger the incomplete fix.

The incomplete fix is identified by CVE-2024-43402.

## Overview

Refer to [the advisory for CVE-2024-24576][1] for details on the
original vulnerability.

To determine whether to apply the `cmd.exe` escaping rules, the original fix
for the vulnerability checked whether the command name ended with `.bat` or
`.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts
with no file extension.

Unfortunately, [Windows removes trailing whitespace and periods][2] when
parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`,
but our original fix didn't check for that.

## Mitigations

If you are affected by this, and you are using Rust 1.77.2 or greater, you can
remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E)
from the batch file name to bypass the incomplete fix and enable the
mitigations.

Rust 1.81.0, due to be released on September 5th 2024, will update the standard
library to apply the [CVE-2024-24576][1] mitigations to all batch files
invocations, regardless of the trailing chars in the file name.

## Affected versions

All Rust versions before 1.81.0 are affected, if your code or one of your
dependencies invoke a batch script on Windows with trailing whitespace or
trailing periods in the name, and pass untrusted arguments to it.

## Acknowledgements

We want to thank Kainan Zhang (@4xpl0r3r) for responsibly disclosing this to us
according to the [Rust security policy][3].

We also want to thank the members of the Rust project who helped us disclose
the incomplete fix: Chris Denton for developing the fix, Amanieu D'Antras for
reviewing the fix; Pietro Albini for writing this advisory; Pietro Albini,
Manish Goregaokar and Josh Stone for coordinating this disclosure.

[1]: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
[2]: https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters
[3]: https://www.rust-lang.org/policies/security
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmbXBUIACgkQ77mGCudS
DayLoxAAsQbHhrvT7F65Y1wjieTLuhsRPFE5LZaanIe2jm8gVMXM6u7423I6gxqi
bpTIOWgOU7PKxgQC5ZOaub5Yu0/BA1rA39YhF4FAH9/eM8sD9TYDgTjTlF1ne4MO
0tZQUy6VTUo0AJmRpBTJMlXc7hdu7l7oQJhvRYJapxqdIctPWHH2VNwGWo1iGXrz
q/FV66vQPkUjy+8yB4P/q3bYn9jaRqWSG/8N0wGHgWveTtgswiCdUveYJ6fKwj1D
WzhlTleQlFybpc6iALkIhk9oa6fGUeF0O9+LtJUI4VH6DOQPUnZLgkhhvp6F2GNa
yor4amx/bakW0AHpeBdJQEMDPEbDxrQrUfXGAAtT/TqMW896J+FpcTRzG4oThO/Z
/3ukjXwzO9bEIFjh46YD9x31iCIIQrBJC5fbvOfzybb7z2KYiGCKIK73aQQJT7+2
tRD0mbmMKKgRC3iJqiWiAxgIJC8gmuhsq768Grip2ji6qjM15EAAjJpdTY6rs7Vo
vi7dmUTVLczrTDaJkUAsXSbE75Wfi1aM12nyIUOq1YNXBYXT9jRmcwXCa0V19dcJ
kDkflDnFHq9FOBjqTZIaLaw2OkYUURGPjxx735lsz91ukmoYaFUlsdFmlLVT0LBe
pij/fubWBOJCOa6fZ0DNuZfyArMRM9CDlLFf8QeUBc5I6QjhoPE=
=wEEf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.