oh its FREE, defently a steal

From the cmd.c example from the beginning, could you also inject a command with this input? I was expecting something like this: Robert \" & ping \"google,com

I had a question but apparently KZbin comments are censored if you write anything that is slightly looking like a line of code or Windows commands... :(

Nice, I'll watch it on Memegen channel Kappa

When a discount? :(

I've heard something about "an injection", hope it helps.

If they can’t fit in the closet as solid children, DO NOT liquefy them to fit. It’s extremely hard separating liquids once they’re mixed.

I'm sending my flying car!

Oh nooo another VAX. lol

LLL should have appended an else-if statement to that

Exactly, this requires certain conditions to be met in order to be a viable attack. So yeah, this is maybe a 7 or lower out of 10 which should be patched soon anyway. heh

Windows is a vulnerability in and of its self.

CVE risk is determined by qualitative analysis, I think. Probably why it’s a 10/10

​@@pjderouen - Yes it's a higher quality vuln, but they forgot consider the quantitative part, meaning how many machines are being affected. Due to having to meet certain conditions, it's really not that widespread.

@@BillAnt I think the problem is that people assume CVE score to mean different thing that it actually does. The bug itself is 10/10, but how easy it is to find in wild is perhaps 2/10.

the difference is that that xz backdoor had not even reached production, it was only in the testing distributions when it was found. whereas this Rust vulnerability is actualyl in production, in the latest version of the language and most likely a lot more of the previous ones. So yeah you're right it doesn't compare with xz: xz was way less severe :)

@@unperrier5998 I hope you're being sarcastic. xz was an elaborate supply chain attack, or at the least it was supposed to be. While this vulnerability which is hardly a Rust vulnerability and more of Windows vulnerability is the classic case of unsanitized input creating problems. The most important thing to differentiate here is that the Rust bug only happens when accepting user input in very specific conditions, so the attack surface is already tiny. A backdoor in comparison is way more serious because just by using a backdoored version of a lib your software immediately becomes vulnerable, so this is a huge attack surface. Worst part is you wouldn't even realise this because the backdoor is in one of the dependencies and not in your own code.

@@wlockuz4467 no it's the same argument: you're saying Rust vulnerability is not as serious because it's not really used (the attack surface is small) and I'm saying xz vulnerability has a tiny attack surface because it wasn't in production, check it up.

@@unperrier5998 was this functionality supposed to sanitize user input? if there is no claim to use input sanitation for a given platform I would consider it programmer error. I remember the days where you had to watch every user input for injection on web, be it sql, js or something else, these days it is handled for you. not to mention someone needs to inject malicious input, which would most likely require some user action such copying commands from the inter webs

@@unperrier5998 It's not even a vulnerability it's just a small feature missing from command module.

I think the problem is that .args() is supposed to be the sanitization, and the bug is that it isn't

@@what42pizza yknow this is probably correct. i did not review the rust documentation before making my rage bait comment. if that’s the case it’s surprising to me that the bug is discovered now

@@HiYesThisIsJake Well, Java is Java, and nobody likes Java for a reason... I think because the expected cross-platform behaviour is for it to be sanitized, even ignoring security, this would be a bug in and of itself. Blaming Windows devs is also unfair here because the way that cmd.exe sees it, it has no way of knowing whether the input was sanitized or not, so it has to take what it sees at face value. A normal user chaining commands and injected code look no different to it.

​@@d-o-n-u-t It's because Rust's implementation for Command::new cannot just directly call Win32's CreateProcessA() function with a batch file as the application name. This is because the Windows docs state: "To run a batch file, you must start the command interpreter; set lpApplicationName to cmd.exe and set lpCommandLine to the following arguments: /c plus the name of the batch file. If Command::new directly called CreateProcessA() with the user's provided program name instead of as an argument to cmd.exe, this vulnerability wouldn't exist. Although this would mean that running a batch file from rust would have to be more explicit and look something like: Command::new("cmd.exe").arg("/c").arg("./test.bat") Which would make it a lot more obvious to the programmer that sanitisation is needed here.

There are lots of other languages confirmed to be affected. (Erlang, Go, Haskell, Java, Node.js, PHP, Python, Ruby) And yeah, now Rust got a dumb patch which simply disallows you to pass " into args. Because this is basically an unfixable fundamental Windows issue. Most other languages marked it as won't fix though, and I'm in their camp here.

Yeah same rating of xz, which is just a masterpiece of a backdoor

They really are.

You should create a better standard.

@@no_name4796 the 10/10 rating for xz was totally justified. It was technically just an RCE at root level vulnerability that anyone with the private key could access, in a fundamental core part of the Linux networking stack. That is BAD. Having the Rust CVE being limited to one niche use of the Rust standard library that could prove a program vulnerable in the right circumstances, does not equate to 10/10

​@@funkemunky literally he is agreeing with you

💯 agree. It also doesn't do privilege escalation and is local. This shouldn't be a 10.

Exactly

"EvEn UnITeD sTaTEs GOvErNmeNt ReCOmMeNdS It" is causing this sensational headline

For the clicks

I think the reason is that Rust released a very prominent security advisory to notify users while many other languages don't even plan to patch it. For example Python and Go only updated their documentation and Java won't get a patch at all. PHP and Node plan to patch it but don't have a patch for it yet. The PHP security advisory on GitHub is still inaccessible. It's unclear which other languages will even release advisories. At the moment, Haskell seems to be the only other language that has already patched it. Though ofc it's still very poor journalism to not figure that out and only report on the Rust issue.

Ya, for an application it's probably an easier call but for a language it's weird. Because I sure could see someone using this in a way that makes an application that warrants a 10/10 for the app, but does that make it a 10/10 for the language that implemented the feature that was supposed to stop it?

They should have an app for this, by inputting the vuln into an algorithm which should score it based on the conditions and severity running on a few or millions of machines.

Their rating system is silly, and doesn't Even take into account actual potential of the exploit. CVE-2020-19909 for example. Curl was found to have a bug where you could set a "retry delay" on an operation if it fails, and if this delay was too large (on the order of weeks or longer) the integer would overflow. They gave this a 9.8, simply because the bug involved an integer overflow, and there was a miniscule, non-plausivle chance of a DoS.

"I found a vulnerability in the pipe operator. If I pipe netcat into bash it's a remote code execution vulnerability" /jk of course But it's basically the logic they use for the 10/10 it COULD be used in a way where an online attacker could send malicious data that COULD be piped into a batch script and the entire server COULD run with elevated privileges. The logic however is pretty bad as almost every vulnerability (and in my example even expected features) can cause RCE. I don't see how CVSS handles "potential for undocumented pitfalls", so I assume that's why they put all the things that could happen into the score.

I think you meant "bad" not "hard" 🙁

Well, as of DOS: This gun cannot point anywhere else!

The problem is that issues that are less than this have been constantly pointed out in C by the same people that are now excusing Rust.

Your analogy would be apt if the documentation of the gun explicitly said that it is safe to point at your own feet.

So why do people blame C/C++ if all the faults can be blamed on the programmer?

@@rian0xFFF It was always just an excuse to build a more closed-down environment and tool that can be rug-pulled out from beneath you at any time. It only takes some light digging to find that rust has constant issues with activists running the show. They are growing increasingly litigious and controlling, especially if their whole trademarking fiasco from last year is anything to go by.

For the 10/10 you need to add: * Must be some sort of server that takes user input * Assume that an exec equivalent parameterize's / sanitizes user input. How is this even a rust CVE? It's a flaw in how cmd.exe parses arguments!

@@arthurmoore9488 I have to respectfully disagree. The & sign to CMD.exe is meant to run the next command after the other is run. This would work whether it was a bat file or some other command that was executed by CMD. No this isn't a 10/10 but it's exactly a command injection bug. To say it is CMD.exe fault would be the same as blaming oracle for command injections.

@@jphillips247 except Oracle (and other DBs) provide a means to do parametarized args. CMD.exe does not. That's the entire reason that this is more a CMD.exe issue and less of a Rust issue. Even in the classic SQL injection context we didn't really have foolproof (or mostly foolproof) solutions till the query engines natively supported parametarization.

@@jphillips247 the actual problem is developers. nobody blames the SQL language when your server gets hit with an injection attack, Rust provides nice easy APIs to easily remove characters from strings.

@@jphillips247 I was mostly partly being over the top, but not completely. The "safety" guarantee is that arguments are passed to the program being called without run through a shell. That obviously doesn't apply if the program you're running is a shell, like cmd.exe. .bat files are just cmd.exe with a few arguments already added. The difference is in Linux, trying the same command with a ".sh" file gives an error. The executable would have to be "/bin/sh", with the file as an argument. Making it clear that **parameterized**, not escaped, arguments are being passed to a shell. The way many other shells and similar fix this is by treating everything after " -- " (spaces are important) as arguments passed to the script. cmd.exe does not have anything like that, and cannot since it would likely break backwards compatibility. However, even in the Linux example, one of the arguments would have to be " -- " for that to function!

The only two CVE validators I trust are "Low Level Learning" and "John Hammond". Nuff' said. ;D

4:27 rofl

No this is rusts fault, the issue here is that rust is running your parameters as a part of the command, it matters not at all how the recipient program "is free to parse". You could call a program that doesnt even accept arguments and rust will just run it on the shell. Basically the function is called "arg()" but they actually implemented "appendRawCommandText()" and called it a day :/

@@hashbrown777 That's just not true, though. Up to this point Rust escaped the parameters in a way that the standard c argv parsing read them correctly. That's why this is a problem only for running batch files, as those are executed by cmd.exe, which is a special snowflake and requires different argument escaping. Of course, there could be other programs that behave like this on Windows, and the fundamental limitation here is the Windows API itself. One could argue, that the nice Command API with separate arguments should not be available on Windows, because it is impossible to safely implement due to OS limitations.

@@andrejsk6211 l agree. The only correct way to sanitize user input is to ensure sanitization is not required. This is why I feel dirty calling methods like "sanatize_for_xyz"...

​@@andrejsk6211oh this is specific to batch files? Yeah cmd sucks, but this isn't window's fault. Definitely not rust's fault either. If powershell and cygwin dont have the exploit, I'd say disable arg() (runtime exception) when calling a .bat and force people to put it all in the Command call; that'll force them to sanitise themselves

YUP?!

So you can write your backend logic in batch and use rust only for the frontend to interface with other things, obviously.

One could make a shortcut that runs a batch with Rust.

I once had to run a inline powershell script in node that converted office files to pdf files. For any sort of situation there is someone who's doing it.

Why not?

You remember incorrectly. That's how the batch shell works, not win32. PowerShell is free from this issue for example, but absolutely correct regarding cmd.exe, an awful, awful shell environment. The issue now though is that running legacy executables via better abi's becomes tricky because they try to compensate for cmd's poor parsing my doing it themselves, and sometimes you need to deliberately over-escape :/

@@hashbrown777 I think it is Win32 issue. At least CreateProcessA/GetCommandLineA functions accepts/returns single string instead of array of strings for arguments. Not sure PowerShell can work-around this. Only thing you have is to hope that program that you spawn adheres some standart of encoding arguments in single string. I.e. there is nothing Rust platform library can do right here to implement its API promise. There will be always possibility that some application do not parse its arguments as this library expects.

@@virkony apparently this is just an issue with calling batch files. So yeah, nothing wrong with win32, but also nothing wrong in rust with calling regular executables.

@@hashbrown777 Let's imagine that I'm writing regular executable in Win32 API. E.g. I have my WinMain with arguments passed in LPSTR lpCmdLine. As per documentation "The command line for the application, excluding the program name." which means that in that 𝐬𝐢𝐧𝐠𝐥𝐞 string we have all arguments and program name stripped off already for us. As a naïve developer I split it by spaces to get individual arguments. Now tell me: Which tricks Rust can possible take to ensure that this regular Win32 executable accepts as a first argument string with a space? And will it work for all other variations of regular executables?

It may not be 10/10 but it really puts a dent on the 'safety' armor of Rust.

@@haroldcruz8550 It really doesn't. Rust is supposed to be memory safe, not an enabler for bad choices.

imo they need to increase the scale to balance the power creep because the XZ backdoor having a 10/10 and then this having a 10/10 also is just silly

Jia Tan literally botnetted every x86 debian testing and unstable system in the world, but this command injection has compromised absolutely nobody

RUST has just hacked the CVE system by injecting itself indirectly. lol

this issue involves failing to sanitize the input and can result in arbitrary code execution, do you expect this be taken lightly

​@@rainthevaporeon7852 the bug is bad, yes, but it's not a defcon 1 type event. Yes it's a very dangerous bug, but to put it on the same level as XZ is atrocious. Needless to mention the pipeline of events that's required to take place in order for this vulnerability to be exploited is uncommon. Dangerous, but not a backdoor in open source code.

From the first link in the description of the video, the first paragraph: The Command::arg and Command::args APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.

had to same thought

I think the issue is that windows implicitly fires up a cmd.exe when you try to run a batch file.

@@zombi1034 Ah...that would explain why it's only a problem with .bat files.

@@zombi1034 Ah, I think I see the issue now.

Don't forget the C moto. The user knows exactly what they're doing. Stop warning me about mismatching in printf compiler!

Every bad C dev, sure :| Read the docs on what this function is supposed to do (hint; it wasn't supposed to run arg() on the shell)

@@hashbrown777 If the "application" you are calling is a shell script, then it doesn't matter... This is just not smart, this exploit works the same as if we called a bash file with only echo in it... When calling a shell script (batch or bash or sh, watever you want) it will call the shell to execute it with the parameters given to the script... How else do you want to execute a shell script?

@@Xamdify then that's an exploit in your called application? Counter, what if you're not calling a shell, you know, just calling tar, the arguments shouldn't ever see a shell, what are you even on about

@@hashbrown777 That is the point, the bug happens when you specifically call a shell script... not when you use other applications... Why do you think the example uses a batch script?

@@leeroyjenkins0 as i see it on video is mostly escaping problem or windows api wich expects concatenated string instead of two separate or maybe low familiarity of author with windows, but... still i saw rust praised for behaving well and keeping sane compatibility between systems comparing with go where situation is messy puting it lightly... Still i think this only exploitable if you are a github and must run windows scripts as a part of ci/cd or github actions... and maybe if some one writes some installation tool but still remote exploit is hard

@@leeroyjenkins0 yes you are right, but just call the name: it's DOS.

- problem found in thing i like - see? thing you like BAD!!! - thing i like gets fixed anyway - mfw

I don't thinks it's in issue of how batch files accept args, but the fact that batch files are *shell scripts* and are therefore executed by (to simplify it) string-replacing in the passed argument (which hasn't been touched by the 'outer (parent-process)' shell that the rust program was launched by) into the %1, and then letting an 'inner (child-process)' shell run each line of the batch file. This is (as others have said elsewhere in the comments) exactly the same behaviour you'd expect if you invoked a linux .sh file from rust - it would spawn /bin/sh (or whatever shell you have on your system) to execute the .sh file, with all the standard shell vulnerabilities. From what I can tell, this CVE seems to be addressing the fact that the docs state that the arguments will be passed directly to the child process without handling by the 'outer' shell, and not thinking of the fact that rust can't (and shouldn't) prevent you from spawning a child process which then itself (in this case being a shell) has unsafe argument handling. Hope that clears it up! Edit: looks like this was fixed in Rust 1.77.2, here's the official explanation: blog.rust-lang.org/2024/04/09/cve-2024-24576.html#overview

@@slimeistdev your explanation makes no sense. Command::new("./test.sh").arg(user_controlled_string) with echo $1 in test.sh is perfectly safe on POSIX compliant systems, so why should .bat on windows be any different. This is 100% an unexpected foot gun.

@@ruroruro Hm... Seems like I was wrong to assume that POSIX shell scripts would have the same issue. I totally agree that this is an unexpected foot gun, but it seems to me to be (or should be) more of cmd.exe's responsibility than rust's. Still good to see rust trying to protect us from ourselves :)

Not even a joke Windows itself is spyware and i don't trust they don't actually have malware or backdoors in it. Linux for the win

This

its not windows you can do this also with linux or any other os

What a fancy way to say skill issue

convert that bat to bash and run it on linux. it's not rust, windows nor linux fault

yes

Yes I don't really get a practical use of this either.

Almost every web app that controls a virtual machine, process, or piece of industrial hardware does exactly that.

@@Knirin they use .bat files? On Linux?

@@sas408 shell scripts and bat files are the same concept. I was more referring to the number of things like cpanel and cockpit that directly call other executables with user input.

nah this can happen in c, and c has 100x more ways to end up with RCE.

@@J-wm4ss of course it can happen in C and nobody cares because C is a real programming language designed for real developers not for LGBT therapy victims like rust

@@J-wm4ssI was joking. But as a systems language, it *should* be possible in C. I’m not onboard with the ‘safety enforced by language semantics’ nonsense. Natively enforced safety is censorship.

It's not a console call.. it's ".arg()", it literally guarantees sanitisation. You're running a Command(), not calling a Shell() You're confused, Rust is absolutely exhibiting a bug here

Can you disambiguate between your usage of Shell and Command here?

@@hashbrown777 No, it grantees **parameterization**. Calling cmd.exe with parameterized commands is dangerous. Who knew!?!

@bradywb98 I can probably help. Broadly speaking, "executable" is a binary program of machine instructions, "Command" is whatever is being asked to run, and, in this context "Shell" is something that runs a script. The confusion is that "Command" does NOT always mean "Executable". It does on Linux, but on Windows attempting to run anything but a ".exe" file causes it to run whatever program is associated with that file. So calling `Command::new("./test.bat")` is really the same as calling `Command::new("cmd.exe")`

I agree, I'm confused how this is considered a bug in rust when it seems like typical lack of sanitization issues. Was the expectation that it would be sanitized for you?

@@firepyro1281 Yes. `arg()` says in its documentation that any string you give it is passed as-is without the shell evaluating it. So this is a bug, it's just not as severe as github makes it out to be.

​@@ME0WMERE so if you use Command to run bash on Linux that's a bug in rust on Linux because it's running a shell, when the docs say it isn't running a shell? To me the docs are just saying it's passed through without modification, which is correct.

@@ME0WMERE No, you still have to be aware of what you're calling is doing with the input! This does not absolve you, the developer, of responsibility of knowing what the heck is actually going on! You can *literally* do the exact same "exploit" on Linux, but it requires, you, the developer, to be an idiot. Never trust user input! That's literally lesson #1 of anything "security" related!

Yup, there is nothing wrong with the executable. Rust is a systems programming language, man. The problem is that an operating system should be well structured with user priviledges so that it simply forbids execution of specific commands that are priviledge to root. And every sysadming that just runs downloaded programs without checking things should be fired. But hey, most companies like windows that still runs on an idiotic "dirty operating system" that never get's updated and is written badly. It's ensuring IT jobs.

It's a more proper solution because it's legal in the language whereas Rust uses unsafe specifically to allow you to do things the compiler deems illegal

So rust is no better than c++

​@@PixelThornNo, it just means that you still can't implicitly trust the user. This is true no matter the language

@@PixelThorn yeah I know right? When I realized that rust won't protect me from downloading malware from my computer I was extremely disappointed. but the final straw was when it occurred to me that rust wouldn't even make me any safer on a plane than the other non-rust passengers.

​@@brod515golden lmao. Idk what this guy wants from a language

The problem is that the whole point of .arg() is to sanitize the input, and this is the behavior across all other platforms except for Windows when running a BAT file.

@@tiranito2834 of course, exactly the reason why the OP has a point that the CVE level is overblown

@@tiranito2834 rust devs rely on the same magic that tells them man can be woman and vice versa

You don't need admin privileges to steal information. You could yoink the database password, dump the entire DB, or do any of a thousand other things. Attackers can be pretty creative.

Counterpoint. Maybe the person who assigned the score is one of those people who thinks rust should be a silver bullet. So anything that breaks that illusion must be off the charts bad.

​@@arthurmoore9488 That is more my take. The rust community is one giant script kiddie struggle session where everyone admits to having no idea what they are doing or how they ended up in front of a computer terminal. It's a bit of a shame. The goal of rust is great for teams working on high liability code where vulnerabilities must be minimized. But it's being glommed onto by a bunch of people who never belonged in programming or networking in the first place. The industry is rife with posers. I won't get into it too deep, but a friend of mine has been a NOC coordinator for a while and we've done penetration testing of various systems.... There's a lot of people, "very reputable", who can't even handle user account settings and basic features of their software suites, much less deal with software vulnerabilities.

I always thought the point of rust was the speed of C with the memory safety of JavaScript.. anyone using JavaScript knows that you can still write insecure code.

@@seeibe yes, that is the point (although one can still write memory leaks in (safe) Rust and some other problems) but some people think differently for some stupid reason

You know that the score is calculated based on objective criteria right? It's not just one guy saying whatever number sounds nice to them

Indeed! that's what is ridiculous about it. It's a silly "proof of concept" of which there is no "solution" that can be implemented to "protect" Rust from this "exploit." The real issue is the "developer" trusted user input! Huge mistake!

The first example is clearly unsanitized, however rust's std library said that arguments were passed directly to the program and so special chars didn't do anything. It was just recently updated to mention that Windows has weirdness with argument encoding that it can cause issues with unsafe input.

@@Jason9637 The docs said it wasn't evaluated by a shell, they are passed directly to the "command" being invoked. You still need to be aware of what the "command" is actually doing though!

@@Comeyd The docs need something like "unless the command being invoked is a shell (duh)" and "the command being invoked for shell scripts is a shell (obviously)".

At this point, merely using C is basically a 10/10.

Nope. Windows is so decrepit that the program being called (for batch programs, cmd.exe) gets to decide how escaping works.

@@michawhite7613 The same behavior can be triggered with any shell if the shell script isn’t written properly. Though cmd.exe may not have proper sanitization options in batch files.

@@michawhite7613 hahaha totally a windows issue let's all just start writing unsafe code then blame it on "decrepit OS not escaping characters on its own"

@@rusi6219 It literally happens on every programming language on Windows. You can do it in Python, C#, Java, Node.js, etc. As of now, Rust is the only language where you *can't* get this vulnerability.

@@michawhite7613 you literally can get this vulnerability on Rust and it's why we are even discussing it now LOL classic rustrany

C apologist?! 😂😂😂😂💀

It's also funny that Rust is not even comparable to C. Maybe you could compare it to C++ and the only Rust could be estimated to be the "better" language is due to C++ constantly adding unnecessary features.