Come learn about C networking and threading at lowlevel.academy 😎

@ItsCOMMANDer_

Ай бұрын

oh its FREE, defently a steal

@Alfred-Neuman

Ай бұрын

From the cmd.c example from the beginning, could you also inject a command with this input? I was expecting something like this: Robert \" & ping \"google,com

@Alfred-Neuman

Ай бұрын

I had a question but apparently KZread comments are censored if you write anything that is slightly looking like a line of code or Windows commands... :(

@eugenej.5584

Ай бұрын

Nice, I'll watch it on Memegen channel Kappa

@izqsunoizquierdo885

Ай бұрын

When a discount? :(

Instructions unclear, the children are hidden in the closet and are staying there indefinitely

@Sool101

Ай бұрын

I've heard something about "an injection", hope it helps.

@TheLazyVideo

Ай бұрын

If they can’t fit in the closet as solid children, DO NOT liquefy them to fit. It’s extremely hard separating liquids once they’re mixed.

@qwertgfhxc

Ай бұрын

I'm sending my flying car!

@BillAnt

Ай бұрын

Oh nooo another VAX. lol

@rusi6219

Ай бұрын

LLL should have appended an else-if statement to that

For a 10/10 I'd expect that any compiled rust code that takes an input to be vulnerable.

@BillAnt

Ай бұрын

Exactly, this requires certain conditions to be met in order to be a viable attack. So yeah, this is maybe a 7 or lower out of 10 which should be patched soon anyway. heh

@pluto8404

Ай бұрын

Windows is a vulnerability in and of its self.

@pjderouen

Ай бұрын

CVE risk is determined by qualitative analysis, I think. Probably why it’s a 10/10

@BillAnt

Ай бұрын

​@@pjderouen - Yes it's a higher quality vuln, but they forgot consider the quantitative part, meaning how many machines are being affected. Due to having to meet certain conditions, it's really not that widespread.

@user255

Ай бұрын

@@BillAnt I think the problem is that people assume CVE score to mean different thing that it actually does. The bug itself is 10/10, but how easy it is to find in wild is perhaps 2/10.

They rated this 10/10? CVEs are such a joke

@no_name4796

Ай бұрын

Yeah same rating of xz, which is just a masterpiece of a backdoor

@antikommunistischaktion

Ай бұрын

They really are.

@codyhen8710

Ай бұрын

You should create a better standard.

@funkemunky

Ай бұрын

@@no_name4796 the 10/10 rating for xz was totally justified. It was technically just an RCE at root level vulnerability that anyone with the private key could access, in a fundamental core part of the Linux networking stack. That is BAD. Having the Rust CVE being limited to one niche use of the Rust standard library that could prove a program vulnerable in the right circumstances, does not equate to 10/10

@witherking2537

Ай бұрын

​@@funkemunky literally he is agreeing with you

To put it in comparison, its the same score as the xz backdoor that was recently uncovered. Its so ridiculous. Jia Tan probably died inside when he saw the severity score.

@unperrier5998

Ай бұрын

the difference is that that xz backdoor had not even reached production, it was only in the testing distributions when it was found. whereas this Rust vulnerability is actualyl in production, in the latest version of the language and most likely a lot more of the previous ones. So yeah you're right it doesn't compare with xz: xz was way less severe :)

@wlockuz4467

Ай бұрын

@@unperrier5998 I hope you're being sarcastic. xz was an elaborate supply chain attack, or at the least it was supposed to be. While this vulnerability which is hardly a Rust vulnerability and more of Windows vulnerability is the classic case of unsanitized input creating problems. The most important thing to differentiate here is that the Rust bug only happens when accepting user input in very specific conditions, so the attack surface is already tiny. A backdoor in comparison is way more serious because just by using a backdoored version of a lib your software immediately becomes vulnerable, so this is a huge attack surface. Worst part is you wouldn't even realise this because the backdoor is in one of the dependencies and not in your own code.

@unperrier5998

Ай бұрын

@@wlockuz4467 no it's the same argument: you're saying Rust vulnerability is not as serious because it's not really used (the attack surface is small) and I'm saying xz vulnerability has a tiny attack surface because it wasn't in production, check it up.

@fulconandroadcone9488

Ай бұрын

@@unperrier5998 was this functionality supposed to sanitize user input? if there is no claim to use input sanitation for a given platform I would consider it programmer error. I remember the days where you had to watch every user input for injection on web, be it sql, js or something else, these days it is handled for you. not to mention someone needs to inject malicious input, which would most likely require some user action such copying commands from the inter webs

@rohithkumarbandari

Ай бұрын

@@unperrier5998 It's not even a vulnerability it's just a small feature missing from command module.

Vulnerability 1 - Windows Vulnerability 2 - .bat files Vulnerability 3 - A programmer that wants to run .bat files from his rust code Vulnerability 4 - The specific rare use case mentioned by the CVE

@arthurmoore9488

Ай бұрын

For the 10/10 you need to add: * Must be some sort of server that takes user input * Assume that an exec equivalent parameterize's / sanitizes user input. How is this even a rust CVE? It's a flaw in how cmd.exe parses arguments!

@jphillips247

Ай бұрын

@@arthurmoore9488 I have to respectfully disagree. The & sign to CMD.exe is meant to run the next command after the other is run. This would work whether it was a bat file or some other command that was executed by CMD. No this isn't a 10/10 but it's exactly a command injection bug. To say it is CMD.exe fault would be the same as blaming oracle for command injections.

@Xankill3r

Ай бұрын

@@jphillips247 except Oracle (and other DBs) provide a means to do parametarized args. CMD.exe does not. That's the entire reason that this is more a CMD.exe issue and less of a Rust issue. Even in the classic SQL injection context we didn't really have foolproof (or mostly foolproof) solutions till the query engines natively supported parametarization.

@itsentdev

Ай бұрын

@@jphillips247 the actual problem is developers. nobody blames the SQL language when your server gets hit with an injection attack, Rust provides nice easy APIs to easily remove characters from strings.

@arthurmoore9488

Ай бұрын

@@jphillips247 I was mostly partly being over the top, but not completely. The "safety" guarantee is that arguments are passed to the program being called without run through a shell. That obviously doesn't apply if the program you're running is a shell, like cmd.exe. .bat files are just cmd.exe with a few arguments already added. The difference is in Linux, trying the same command with a ".sh" file gives an error. The executable would have to be "/bin/sh", with the file as an argument. Making it clear that **parameterized**, not escaped, arguments are being passed to a shell. The way many other shells and similar fix this is by treating everything after " -- " (spaces are important) as arguments passed to the script. cmd.exe does not have anything like that, and cannot since it would likely break backwards compatibility. However, even in the Linux example, one of the arguments would have to be " -- " for that to function!

I also find it weird that they singled out Rust for this because it affects many libraries across many languages, just Windows cmd.exe not escaping things correctly. Why specifically target Rust? (Answer: sensational news story)

@joe_ferreira

Ай бұрын

💯 agree. It also doesn't do privilege escalation and is local. This shouldn't be a 10.

@LowLevelLearning

Ай бұрын

Exactly

@sporkionsuz-beero4744

Ай бұрын

"EvEn UnITeD sTaTEs GOvErNmeNt ReCOmMeNdS It" is causing this sensational headline

@lpbigfish3730

Ай бұрын

For the clicks

@1vader

Ай бұрын

I think the reason is that Rust released a very prominent security advisory to notify users while many other languages don't even plan to patch it. For example Python and Go only updated their documentation and Java won't get a patch at all. PHP and Node plan to patch it but don't have a patch for it yet. The PHP security advisory on GitHub is still inaccessible. It's unclear which other languages will even release advisories. At the moment, Haskell seems to be the only other language that has already patched it. Though ofc it's still very poor journalism to not figure that out and only report on the Rust issue.

"This gun is defective, every time I load it, point it at my foot and pull the trigger, it shoots me!"

@stzi7691

Ай бұрын

Well, as of DOS: This gun cannot point anywhere else!

@rusi6219

Ай бұрын

The problem is that issues that are less than this have been constantly pointed out in C by the same people that are now excusing Rust.

@JochCool

Ай бұрын

Your analogy would be apt if the documentation of the gun explicitly said that it is safe to point at your own feet.

@rian0xFFF

Ай бұрын

So why do people blame C/C++ if all the faults can be blamed on the programmer?

@hcolider2817

13 күн бұрын

@@rian0xFFF It was always just an excuse to build a more closed-down environment and tool that can be rug-pulled out from beneath you at any time. It only takes some light digging to find that rust has constant issues with activists running the show. They are growing increasingly litigious and controlling, especially if their whole trademarking fiasco from last year is anything to go by.

i dont really understand how this is a bug. if you pass an unsanitized input, you get injections, skill issue

@julesoscar8921

Ай бұрын

Because maybe devs expected to sanitize the input in the bat script

@what42pizza

Ай бұрын

I think the problem is that .args() is supposed to be the sanitization, and the bug is that it isn't

@andrewdupper973

Ай бұрын

@@what42pizza yknow this is probably correct. i did not review the rust documentation before making my rage bait comment. if that’s the case it’s surprising to me that the bug is discovered now

@d-o-n-u-t

Ай бұрын

@@HiYesThisIsJake Well, Java is Java, and nobody likes Java for a reason... I think because the expected cross-platform behaviour is for it to be sanitized, even ignoring security, this would be a bug in and of itself. Blaming Windows devs is also unfair here because the way that cmd.exe sees it, it has no way of knowing whether the input was sanitized or not, so it has to take what it sees at face value. A normal user chaining commands and injected code look no different to it.

@baileyharrison1030

Ай бұрын

​@@d-o-n-u-t It's because Rust's implementation for Command::new cannot just directly call Win32's CreateProcessA() function with a batch file as the application name. This is because the Windows docs state: "To run a batch file, you must start the command interpreter; set lpApplicationName to cmd.exe and set lpCommandLine to the following arguments: /c plus the name of the batch file. If Command::new directly called CreateProcessA() with the user's provided program name instead of as an argument to cmd.exe, this vulnerability wouldn't exist. Although this would mean that running a batch file from rust would have to be more explicit and look something like: Command::new("cmd.exe").arg("/c").arg("./test.bat") Which would make it a lot more obvious to the programmer that sanitisation is needed here.

if you are running a windows server, this is probably your least problem

It gets at the heart of why CVSS scoring is hard - there's no consideration for "how commonly is this used like this?"

@gregoryreimer869

Ай бұрын

Ya, for an application it's probably an easier call but for a language it's weird. Because I sure could see someone using this in a way that makes an application that warrants a 10/10 for the app, but does that make it a 10/10 for the language that implemented the feature that was supposed to stop it?

@BillAnt

Ай бұрын

They should have an app for this, by inputting the vuln into an algorithm which should score it based on the conditions and severity running on a few or millions of machines.

@109Rage

Ай бұрын

Their rating system is silly, and doesn't Even take into account actual potential of the exploit. CVE-2020-19909 for example. Curl was found to have a bug where you could set a "retry delay" on an operation if it fails, and if this delay was too large (on the order of weeks or longer) the integer would overflow. They gave this a 9.8, simply because the bug involved an integer overflow, and there was a miniscule, non-plausivle chance of a DoS.

@Ether_Void

Ай бұрын

"I found a vulnerability in the pipe operator. If I pipe netcat into bash it's a remote code execution vulnerability" /jk of course But it's basically the logic they use for the 10/10 it COULD be used in a way where an online attacker could send malicious data that COULD be piped into a batch script and the entire server COULD run with elevated privileges. The logic however is pretty bad as almost every vulnerability (and in my example even expected features) can cause RCE. I don't see how CVSS handles "potential for undocumented pitfalls", so I assume that's why they put all the things that could happen into the score.

@ten8468

Ай бұрын

I think you meant "bad" not "hard" 🙁

Agreed, I saw this headline and read into it further and immediately clicked off when I learned of its actual nature.

@BillAnt

Ай бұрын

The only two CVE validators I trust are "Low Level Learning" and "John Hammond". Nuff' said. ;D

why run a batchfile with rust..? edit: this is clickbait and not even specific to rust but cmd/batch..?

@LowLevelLearning

Ай бұрын

YUP?!

@bultvidxxxix9973

Ай бұрын

So you can write your backend logic in batch and use rust only for the frontend to interface with other things, obviously.

@DanTDMJace

Ай бұрын

One could make a shortcut that runs a batch with Rust.

@zaper2904

Ай бұрын

I once had to run a inline powershell script in node that converted office files to pdf files. For any sort of situation there is someone who's doing it.

@hansdampf2284

Ай бұрын

Why not?

I suppose the issue is more related to how Windows executes script files in general, I expect this sort of issue to be present with just about anything that is supported via the ShellExecute or CreateProcess APIs. Every program on Windows is free to parse its command line in any way it sees fit, there's no real concept of arguments or standardized escape sequences for quoted arguments or such, it's all handled on an app-by-app basis and I know for a fact some do not not support any form of escaping. IIRC you can even edit an environment variable to change which file extensions are run by the command processor, which means even if a programming language tried to detect what it thought was happening, it could still be subject to timing attacks.

@seanhdka

Ай бұрын

4:27 rofl

@hashbrown777

Ай бұрын

No this is rusts fault, the issue here is that rust is running your parameters as a part of the command, it matters not at all how the recipient program "is free to parse". You could call a program that doesnt even accept arguments and rust will just run it on the shell. Basically the function is called "arg()" but they actually implemented "appendRawCommandText()" and called it a day :/

@andrejsk6211

Ай бұрын

@@hashbrown777 That's just not true, though. Up to this point Rust escaped the parameters in a way that the standard c argv parsing read them correctly. That's why this is a problem only for running batch files, as those are executed by cmd.exe, which is a special snowflake and requires different argument escaping. Of course, there could be other programs that behave like this on Windows, and the fundamental limitation here is the Windows API itself. One could argue, that the nice Command API with separate arguments should not be available on Windows, because it is impossible to safely implement due to OS limitations.

@djyotta

Ай бұрын

@@andrejsk6211 l agree. The only correct way to sanitize user input is to ensure sanitization is not required. This is why I feel dirty calling methods like "sanatize_for_xyz"...

@hashbrown777

Ай бұрын

​@@andrejsk6211oh this is specific to batch files? Yeah cmd sucks, but this isn't window's fault. Definitely not rust's fault either. If powershell and cygwin dont have the exploit, I'd say disable arg() (runtime exception) when calling a .bat and force people to put it all in the Command call; that'll force them to sanitise themselves

If I remember correctly DOS/WIndows share that limitation that there is no standard way to quote arguments because it is not a shell that parses them, but a process itself that is spawned by shell. I.e. you'll need to quote depending on which program you run.

@hashbrown777

Ай бұрын

You remember incorrectly. That's how the batch shell works, not win32. PowerShell is free from this issue for example, but absolutely correct regarding cmd.exe, an awful, awful shell environment. The issue now though is that running legacy executables via better abi's becomes tricky because they try to compensate for cmd's poor parsing my doing it themselves, and sometimes you need to deliberately over-escape :/

@virkony

Ай бұрын

@@hashbrown777 I think it is Win32 issue. At least CreateProcessA/GetCommandLineA functions accepts/returns single string instead of array of strings for arguments. Not sure PowerShell can work-around this. Only thing you have is to hope that program that you spawn adheres some standart of encoding arguments in single string. I.e. there is nothing Rust platform library can do right here to implement its API promise. There will be always possibility that some application do not parse its arguments as this library expects.

@hashbrown777

Ай бұрын

@@virkony apparently this is just an issue with calling batch files. So yeah, nothing wrong with win32, but also nothing wrong in rust with calling regular executables.

@virkony

Ай бұрын

@@hashbrown777 Let's imagine that I'm writing regular executable in Win32 API. E.g. I have my WinMain with arguments passed in LPSTR lpCmdLine. As per documentation "The command line for the application, excluding the program name." which means that in that 𝐬𝐢𝐧𝐠𝐥𝐞 string we have all arguments and program name stripped off already for us. As a naïve developer I split it by spaces to get individual arguments. Now tell me: Which tricks Rust can possible take to ensure that this regular Win32 executable accepts as a first argument string with a space? And will it work for all other variations of regular executables?

I just read the CVE description before coming here and was really surprised to see it rated 10/10. At first I thought I'd misread the description because the mitigating factors (requires you to be executing a Windows batch file AND the attacker has the ability to arbitrarily control the input arguments) are quite strong. I'm not really into Rust, but did find it odd that the vulnerability is making the headlines as somehow specific to Rust, when it's also present in (at least) Erlang (unpatched), Go (unpatched), Haskell, Java ("won't fix"), NodeJS, PHP, Python and Ruby.

I recently submitted some bugs to Microsoft about Windows. I was able to demonstrate how to bypass inTune security controls and execute code that is supposed to be blocked. Because it required local machine access they dismissed it. Then you get this one which also requires local access and somebody else reckons it's the worst thing ever. It's sideways. Rust issue is bad but nowhere near catastrophic. The windows issue i found is not nothing and could be used by malware authors to get their malware to execute when imtune restrictions were supposed to stop it.

Guys, i don't want to worry you, but I just found this critical vulnerability where if i execute "shutdown" from rust, my computer turns off. 10/10 CVE.

While it's unfortunate that Rust was blamed for this problem, it does highlight a flaw in one of the oldest shells in computing history, dating back to OS/2. It's also worth noting that this issue is not unique to Rust; rather, it is a problem that requires a patch from Microsoft. This CVE shouldn't actually exist considering the history of the command shell. Sure, it's a bug; just not CVE worthy in the slightest.

@hashbrown777

Ай бұрын

I mean saying it's "not unique to Rust" is a bit disingenuous. That's like saying if curl started sending https data via post in cleartext it isn't curls fault because that's how tcp is and just a result of an old protocol that the user should sanitise (encrypt) their body. If rust is using the cmd.exe shell directly they absolutely are responsible for fixing this. They should be using win32. Cmd.exe is the worst thing still allowed to live. PowerShell has no such issue, but again, rust should NOT BE SHELLING OUT to run a command!

@definitelyno

Ай бұрын

I agree except for the last sentence.

@tototitui2

Ай бұрын

Dating back to dos that is a clone of cp/m...

@N....

Ай бұрын

@@hashbrown777 Actually, the issue is that Windows passes the batch file name and arguments to cmd.exe, regardless of what Rust does or can choose to do. Then cmd.exe parses the command line in its own special way that is different from what the default C Runtime argument parser does, so escaping works differently. This issue is worsened by the fact there's an environment variable of valid extensions to be run by cmd.exe, so even if Rust tried to predict when it needed to use different argument escaping logic, it could still fall victim to timing attacks. This is just an inherent incompatibility between the API Rust wants to expose and the actual API of the underlying operating system.

@denic6861

Ай бұрын

@@hashbrown777yes, but HTTPS is a standardized protocol and there exists handshakes and such to establish a connection. Windows makes the child process handle “arguments” and such. Because there are a variety of different possibilities for how these cases are handled, then it wouldn’t make sense for the standardized function to begin removing data that the developer supplies. Say escape sequences are recognized in parameter parsing in a binary, then rust would break and require a third party in order to interact with this specific binary. Albeit this is a small use case, language maintainers have to choose between developer experience and operation support when building their standard library. Most will opt for operation support, so that’s why languages like Java have decided not to do anything about this issue.

Every C dev right now: isn’t this doing exactly what it’s supposed to do?

@stolenlaptop

Ай бұрын

Don't forget the C moto. The user knows exactly what they're doing. Stop warning me about mismatching in printf compiler!

@hashbrown777

Ай бұрын

Every bad C dev, sure :| Read the docs on what this function is supposed to do (hint; it wasn't supposed to run arg() on the shell)

@Xamdify

Ай бұрын

@@hashbrown777 If the "application" you are calling is a shell script, then it doesn't matter... This is just not smart, this exploit works the same as if we called a bash file with only echo in it... When calling a shell script (batch or bash or sh, watever you want) it will call the shell to execute it with the parameters given to the script... How else do you want to execute a shell script?

@hashbrown777

Ай бұрын

@@Xamdify then that's an exploit in your called application? Counter, what if you're not calling a shell, you know, just calling tar, the arguments shouldn't ever see a shell, what are you even on about

@Xamdify

Ай бұрын

@@hashbrown777 That is the point, the bug happens when you specifically call a shell script... not when you use other applications... Why do you think the example uses a batch script?

Giving this a 10/10 rating just drops the integrity of the CVSS system. Giving it a CVE is just a process, but this is barely even a bug, it's expected behaviour.

@tacokoneko

Ай бұрын

imo they need to increase the scale to balance the power creep because the XZ backdoor having a 10/10 and then this having a 10/10 also is just silly

@tacokoneko

Ай бұрын

Jia Tan literally botnetted every x86 debian testing and unstable system in the world, but this command injection has compromised absolutely nobody

@BillAnt

Ай бұрын

RUST has just hacked the CVE system by injecting itself indirectly. lol

@rainthevaporeon7852

Ай бұрын

this issue involves failing to sanitize the input and can result in arbitrary code execution, do you expect this be taken lightly

@yung_megafone

Ай бұрын

​@@rainthevaporeon7852 the bug is bad, yes, but it's not a defcon 1 type event. Yes it's a very dangerous bug, but to put it on the same level as XZ is atrocious. Needless to mention the pipeline of events that's required to take place in order for this vulnerability to be exploited is uncommon. Dangerous, but not a backdoor in open source code.

10/10 was the XZ backdoor that shook the FOSS world two weeks ago. I'm not a huge fan of rust myself, but I agree this doesn't look like a 10/10 vulnerability at all.

@haroldcruz8550

Ай бұрын

It may not be 10/10 but it really puts a dent on the 'safety' armor of Rust.

@Nina-cd2eh

Ай бұрын

@@haroldcruz8550 It really doesn't. Rust is supposed to be memory safe, not an enabler for bad choices.

The true vulnerability is Windows.

@no_name4796

Ай бұрын

Not even a joke Windows itself is spyware and i don't trust they don't actually have malware or backdoors in it. Linux for the win

@theblckbird

Ай бұрын

This

@florianmartingrimm8055

Ай бұрын

its not windows you can do this also with linux or any other os

This is just the rust version of the c “system” call. We’ve known about input validation for what 40 years now?

Awesome video! It is already fixed in Rust 1.77.2

@Blaineworld

Ай бұрын

- problem found in thing i like - see? thing you like BAD!!! - thing i like gets fixed anyway - mfw

This is more of a bug with batch than anything. Wtf is with the CVE system these days?!?

Also, if the input is the user who run the binary, then it's not even a high risk operation. To be so bad as it sounds, the input actually also needs to be taken from a source that is not controlled by the admin and it is very unlikely that someone has written a program that fetches from arguments from an untrusted source and sends those as arguments to a batch file call. Might be out there in the wild, but I agree, this is far from 10/10.

Took me way longer than I’d like to admit to realize this doesn’t involve the Steam game Rust, haha.

Is this really a bug? Seems like intended behavior to me.

@JochCool

Ай бұрын

From the first link in the description of the video, the first paragraph: The Command::arg and Command::args APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.

@ETBCOR

Ай бұрын

had to same thought

@zombi1034

Ай бұрын

I think the issue is that windows implicitly fires up a cmd.exe when you try to run a batch file.

@ErikBongers

Ай бұрын

@@zombi1034 Ah...that would explain why it's only a problem with .bat files.

@oglothenerd

Ай бұрын

@@zombi1034 Ah, I think I see the issue now.

Thank you for the breakdown! This was very helpful for me to understand the topic. Better than articles I've read about it ;)

Why this is marked as bug in Rust? It is not bug in rust. This bug in library and i don't know how to expliot it remote? You must write some service wich runs bat...

@AK-vx4dy

Ай бұрын

@@leeroyjenkins0 as i see it on video is mostly escaping problem or windows api wich expects concatenated string instead of two separate or maybe low familiarity of author with windows, but... still i saw rust praised for behaving well and keeping sane compatibility between systems comparing with go where situation is messy puting it lightly... Still i think this only exploitable if you are a github and must run windows scripts as a part of ci/cd or github actions... and maybe if some one writes some installation tool but still remote exploit is hard

@stzi7691

Ай бұрын

@@leeroyjenkins0 yes you are right, but just call the name: it's DOS.

4:24 yeah windows! Hide your children, am soo dead 🤣🤣🤣💀

I think the 10/10 is warranted, but maybe not the level of focus on Rust. It is notable because Rust has such a focus on security, but a lot of languages got this wrong because the Windows API for doing this is kinda broken. Meaning, there isn't a safe way to do it in Windows at all without the caller going to extreme lengths. There's only so much a caller can do about a bad underlying API.

@florianmartingrimm8055

Ай бұрын

convert that bat to bash and run it on linux. it's not rust, windows nor linux fault

basic C shits itself just by watching at it and people get upset that after giving full control to the user, the user exploits the command

Sure, and flammable things can self ignite if you set them on fire. Somebody should register wood as CVE-69-420, because it's clearly extremely dangerous.

you would expect Command::new("thing").arg("arg") to work in the way the execl/execvp functions do, where the shell is not involved in parsing the args. Do windows batch files only accept args in one long string or something or does rust just not bother and concatenate the args in a call to the shell?

@slimeistdev

Ай бұрын

I don't thinks it's in issue of how batch files accept args, but the fact that batch files are *shell scripts* and are therefore executed by (to simplify it) string-replacing in the passed argument (which hasn't been touched by the 'outer (parent-process)' shell that the rust program was launched by) into the %1, and then letting an 'inner (child-process)' shell run each line of the batch file. This is (as others have said elsewhere in the comments) exactly the same behaviour you'd expect if you invoked a linux .sh file from rust - it would spawn /bin/sh (or whatever shell you have on your system) to execute the .sh file, with all the standard shell vulnerabilities. From what I can tell, this CVE seems to be addressing the fact that the docs state that the arguments will be passed directly to the child process without handling by the 'outer' shell, and not thinking of the fact that rust can't (and shouldn't) prevent you from spawning a child process which then itself (in this case being a shell) has unsafe argument handling. Hope that clears it up! Edit: looks like this was fixed in Rust 1.77.2, here's the official explanation: blog.rust-lang.org/2024/04/09/cve-2024-24576.html#overview

@ruroruro

Ай бұрын

@@slimeistdev your explanation makes no sense. Command::new("./test.sh").arg(user_controlled_string) with echo $1 in test.sh is perfectly safe on POSIX compliant systems, so why should .bat on windows be any different. This is 100% an unexpected foot gun.

@slimeistdev

Ай бұрын

@@ruroruro Hm... Seems like I was wrong to assume that POSIX shell scripts would have the same issue. I totally agree that this is an unexpected foot gun, but it seems to me to be (or should be) more of cmd.exe's responsibility than rust's. Still good to see rust trying to protect us from ourselves :)

if I want to pass some batch instructions as args, how I do it if they sanitize it by default

I don't understand how is it Rust's problem? I can write this in C++, python, Java whatever I want. The problem is between monitor and chair in case of such code.

I really thought something bad happened, oh well. At least I found an RCE (or ACE in singleplayer) in a game I play the other week. Started learning a bit more about exploitation since that, it's a great topic

I have a geniune question, how do you learn so fast about bugs and security issues? It seems that I only learn that from yt. Ofc I am not related to security at all I am just wondering.

How is unchecked user input a LANGUAGE PROBLEM? In C that is a feature. From what you explained, it works exactly how it is intended. It's up to the programmer to validate their inputs, like what?

Isnt this issue common to many languages and actually unfixable due to the custom parsing logic in windows? The "fix" is actually just a mitigation

This is mentioned in the docs for the impl of Command::arg(). Not sure when this was added, but is specifically calls out .bat file args as vectors for malicious attacks. It then gives instructions for using `raw_arg` for implementing non-standard arg encoding. Anyone know more?

Me: Installing Linux xz backdoor: 🗿🗿🗿 Me: Installing Rust on Windows Rust critical 10/10 vulnerability for Windows: 🗿🗿🗿

I think the 10/10 might be supposed to mean "this is critical when using Command in rust and passing user provided arguments to it", not "this is critical when using rust". The score tells you how bad it is if you're vulnerable. This is a very annoying part of the scoring system, because if you have dependency scanning, you get annoying critical alerts all the time for stuff you're not vulnerable to in 99% of cases. But it has to work like this to alert the 1% that are vulnerable. The rest just hast to ignore the alert.

really good summary !

That’s why the government was endorsing it.

@J-wm4ss

Ай бұрын

nah this can happen in c, and c has 100x more ways to end up with RCE.

@rusi6219

Ай бұрын

@@J-wm4ss of course it can happen in C and nobody cares because C is a real programming language designed for real developers not for LGBT therapy victims like rust

@jose-lael

Ай бұрын

@@J-wm4ssI was joking. But as a systems language, it *should* be possible in C. I’m not onboard with the ‘safety enforced by language semantics’ nonsense. Natively enforced safety is censorship.

What keyboard are you using! Sounds amazing 😃

The good thing is that there are ways to prevent this vulnerability by sanitizing input and avoiding calling command lines from your program. Also, validate user input with a regex.

@PixelThorn

Ай бұрын

So rust is no better than c++

@arctic_line

Ай бұрын

​@@PixelThornNo, it just means that you still can't implicitly trust the user. This is true no matter the language

@brod515

Ай бұрын

@@PixelThorn yeah I know right? When I realized that rust won't protect me from downloading malware from my computer I was extremely disappointed. but the final straw was when it occurred to me that rust wouldn't even make me any safer on a plane than the other non-rust passengers.

@rico_1617

Ай бұрын

​@@brod515golden lmao. Idk what this guy wants from a language

@d-o-n-u-t

Ай бұрын

The problem is that the whole point of .arg() is to sanitize the input, and this is the behavior across all other platforms except for Windows when running a BAT file.

Who would have thought that allowing unsanitized user input into a console call would result in a vulnerability 😱. No seriously, if you get bit by this somehow I'm sorry but maybe you only should ever touch user-facing code again after at least a couple more years of mentorship. There never was guarantees of sanitation and you have to run console interpreter in order to run .bat or .cmd files, this is just a non-bug I'm sorry

@hashbrown777

Ай бұрын

It's not a console call.. it's ".arg()", it literally guarantees sanitisation. You're running a Command(), not calling a Shell() You're confused, Rust is absolutely exhibiting a bug here

@bradywb98

Ай бұрын

Can you disambiguate between your usage of Shell and Command here?

@arthurmoore9488

Ай бұрын

@@hashbrown777 No, it grantees **parameterization**. Calling cmd.exe with parameterized commands is dangerous. Who knew!?!

@arthurmoore9488

Ай бұрын

@bradywb98 I can probably help. Broadly speaking, "executable" is a binary program of machine instructions, "Command" is whatever is being asked to run, and, in this context "Shell" is something that runs a script. The confusion is that "Command" does NOT always mean "Executable". It does on Linux, but on Windows attempting to run anything but a ".exe" file causes it to run whatever program is associated with that file. So calling `Command::new("./test.bat")` is really the same as calling `Command::new("cmd.exe")`

Alright, gotta know, that keyboard sounding pretty awesome, what are you using?

It's crazy the backdoor and this has the same cve rating.

presumably there's a standard function that can be wrapped around the call to .arg() that escapes characters that would allow 'breaking out' of a command with quotes?

The standard programatic way to pass arguments to a shell command is not sanitizing the input, not even quotes, and that hadn't been caught before?

The new KZread arrangement of recommendations and comments rated 10/10 from me...

Amazing video, thanks

How is this different than doing Command::new("rm -rf /* --no-preserve-root")?

I feel like this vulnerability got so much fuss about it is because of logging. Many projects straight up log everything that happens in their code. Imagine you have user login and each successful request logs their email or username. You could easily use that for RCE.

all programming langiages can do that - that's nuts

Is this a vulnerability i did something like this with using python os.system i didn't know it was a vulnerability. I thought developer need to filter the user input before passing it.

To sum up, if you allow your program to execute an arbitrary script AND accept arbitrary input as parameters to that script, that's bad. Yeah, not a Rust issue.

This made me realize that I have some really risky and unsanitized calls to subproess that totally could be epxloited... And its even remote to some extend . Maybe I should add eords of caution and provide a sandbox. Would have been great if you can show the logic error in the rust source and how to mitigate it. Since thats the information I kinda require to do better myself

I understand and agree with your concerns about the rating. Though I am merely an armchair observer with no direct insight into the CVE decision-making process or affiliation with any involved entities, I believe I can offer a useful perspective. Perhaps adopting an ‘a+b/20’ scoring system could better differentiate between bug severity and likelihood of exploitability. This approach could be analogous to the FAA’s ‘Swiss cheese’ model, which is used to understand how random, primarily accidental factors align to cause air disasters. In contrast, computer security usually deals with honest mistakes that align to allow usually malignant actors to forcibly breach systems. Given the high severity of the bug but largely theoretical exploitability, the 10/10 rating might seem excessive. It is essential for anyone executing unsanitized data on Windows from an untrusted source to assess their application for potential impacts. This vulnerability requires a very specific set of circumstances to be exploitable, which suggests that while all developers should check their code, the real-world risk might be less immediate than the rating suggests.

Brother I'm a C apologist and I agree that's utterly silly. That's barely a vulnerability!

@abdirahmann

Ай бұрын

C apologist?! 😂😂😂😂💀

When I hear 10/10, I hear "Remote vulnerability, remote execution, it's everywhere, xz backdoor, https noodles butter cup attack..."

This can happen in normal batchfiles as well. This sound more like a programmer error by skipping any string sanitation. This is how SQL injections work, too. I think they set this as CVE, because people make servers in Rust and this oversight _may_ affect them. It's more like a warning for bad coding then an actual vulnerability.

CVSS scores are interesting because recent XZ Utils backdoor was rated as 10/10, too, but it was 10 only for the attacker that knows the not-yet-published private key that matches the public key in the backdoor. For everybody else the CVSS score should have been maybe 3/10 because the backdoor can be used to increase CPU load and cause remote DoS because of consuming CPU resources.

The only reason this has CVSS base score 10/10 is because the "Security Researcher" that reported this issue wanted to have "Rust 10/10 CVE" in their CV. This is not a security vulnerability in Rust but in the piece of software that uses Rust to launch a .bat file and gives it the user input as parameter. If I write a piece of PHP code that executes "bash -c $escaped_userinput" where $escaped_userinput = escapeshellarg($userinput) call, it's not a security vulnerability in PHP nor bash but in my code only. Windows .bat files simply execute strings even without "-c" flag.

Agree. Maybe part of the hype is because of how hard Rust evangelists push the language as the "secure" language (compared to C)? Some people really lean into this fantasy that when you program in Rust you don't have to worry about security and CVEs will be a thing of the past.

@rusi6219

Ай бұрын

It's also funny that Rust is not even comparable to C. Maybe you could compare it to C++ and the only Rust could be estimated to be the "better" language is due to C++ constantly adding unnecessary features.

Standard injection attack, standard solution (user input sanitisation). These expectations of handholding, from a system language moreover, is baffling

@burnin8orable

Ай бұрын

Yeah this doesn't seem like a vulnerability with Rust itself. I can write python such as this, "os.system(input().strip())" and that would be a security problem with my code, not the python standard library. It's like arguing that chef's knives should be designed to only cut food and never fingers, instead of training chefs to use the knives properly. Update: I wrote this comment when I was unaware of what the args() function is intended to do. It's definitely a problem, but nowhere near a 10/10.

@alagaika8515

Ай бұрын

That's why you don't use os.system in python, you use subprocess.run with an array of strings, which are mapped onto the arguments array inside the called program, without any interpretation of any shell. Afaik there are system calls that allow you to spawn a process and pass an array of arguments, without any injection possibility because no interpretation by a shell is required. But it seems Windows does chis differently.

@bzuidgeest

Ай бұрын

I think it's not handholding, people just expected it to work the same as with SQL. Those people made a mistake. People expect basic sanity checks to be already included in the libraries and often that is the case. The basic checks are boilerplate no reason to have everyone write them again. So they should be included in the library.

@definitelyno

Ай бұрын

@@alagaika8515 subprocess.run would also be vulnerable if i understand things correctly due to the parsing of the command line when running bat/cmd files. It invokes a shell.

@seeibe

Ай бұрын

​@@bzuidgeestThat's the problem with implicit sanity checks. You forget about them until an instance where they're not there.

Last video I watched from you was how much better Rust is (than C) as it has all the security management built in 😅

@tiranito2834

Ай бұрын

who would have guessed that relying on magic isn't safe? lots of guarantees that don't really add up to anything more than smoke won't save you from actually sanitizing your user input yourself. By hand. Like C devs do.

@mph8759

Ай бұрын

@@tiranito2834 of course, exactly the reason why the OP has a point that the CVE level is overblown

@rusi6219

Ай бұрын

@@tiranito2834 rust devs rely on the same magic that tells them man can be woman and vice versa

@tiranito2834

Ай бұрын

@@rusi6219 Again, as I replied to your other comment, 100% agreed, and I say this unironically.

So when a user at their chair using their computer gets a terminal prompt and recives control for input....they can use their conputer to run their own commands on their computer?

I think its a cve in the same way that "press 1 to rm rf /" program is a cve?

Honestly this is just a sanitation issue. The Command Class should probably force sanitation of the arg input, but the developer should also be aware that sanitation is needed. I don't find this to be a vulnerability of the STD: Library as much as I find it to be a vulnerability of the developers software. 100% agree, this should NOT be a 10/10 security classification.

Is it ok to use scanf like that?

To me this seems very similar to a sql injection. It only appears if you use the software in a specific way. Nobody is calling the very use of SQL a 10/10 security risk just because if you set it up in a certain way you can allow for injection attacks.

I have a theory why it's classified as 10/10: For some reason a sizeable chunk of Rust devs view Rust as a silverbullet to nearly all (if not even sometime literally all) security problems. I hope that they are a minority, but they exist. And I can't comprehend why they exist, but I had some interactions with them. So, maybe this is classified as a 10/10 to "shake them". Not a fan of (ab)using CVEs for this, but could be the case.

@tiranito2834

Ай бұрын

100% agreed. I've also come across many people like that. Let me tell you, the great majority of the Rust user base is like that. Classifying this CVE as 10/10 is stupid, but I really do hope it gets all of those Rust devs off their high horse and makes them realise that writing good code is the only way to get your program to do what it has to do, that relying on magic functions to do things for you rather than sanitizing your inputs yourself will only lead to problems, and it's literally the same situation they criticise in C... it seems like all the "skill issue" people were not so wrong after all, huh? wow, shocker! who would have thought that actually making sure that your program is correct rather than relying on magic and promises was going to lead to a far better result?!?! who would have thought that Rust is not magic and cannot protect you from every single problem under the sun!?!?!? etc etc...

@arthurmoore9488

Ай бұрын

Counterpoint. Maybe the person who assigned the score is one of those people who thinks rust should be a silver bullet. So anything that breaks that illusion must be off the charts bad.

@Aim54Delta

Ай бұрын

​@@arthurmoore9488 That is more my take. The rust community is one giant script kiddie struggle session where everyone admits to having no idea what they are doing or how they ended up in front of a computer terminal. It's a bit of a shame. The goal of rust is great for teams working on high liability code where vulnerabilities must be minimized. But it's being glommed onto by a bunch of people who never belonged in programming or networking in the first place. The industry is rife with posers. I won't get into it too deep, but a friend of mine has been a NOC coordinator for a while and we've done penetration testing of various systems.... There's a lot of people, "very reputable", who can't even handle user account settings and basic features of their software suites, much less deal with software vulnerabilities.

@seeibe

Ай бұрын

I always thought the point of rust was the speed of C with the memory safety of JavaScript.. anyone using JavaScript knows that you can still write insecure code.

@kuhluhOG

Ай бұрын

@@seeibe yes, that is the point (although one can still write memory leaks in (safe) Rust and some other problems) but some people think differently for some stupid reason

Literally the purpose of system() in almost all languages is to run commands though. Which is why you must be super careful in calling it and must never pass unchecked user input into it unless you literally are wanting to write a shell that runs with current permissions. With all that entails. Sounds more like a feature than a bug.

comment section full of knowledegable ppl man, love this channel & people who are willing to share knowledge!

CVSS scores are basically a calculation based on the factors that go into the vulnerability. In this case, I don't think I agree with the way that those factors were determined. Attack vector: network for instance: it isn't clear to me (though that might just be me) how this would be exploited over the network. Privileges required: none - how about the privilege to be able to execute commands? It looks like the CVSS calculation was first done by one of the people in the Rust team. I'm really confused why they would mark the vulnerability like this.

It should also be mentioned that this vulnerability is not just in Rust. Several other languages' stdlibs are "vulnerable", e.g. python's. Rust just documents that arguments passed to arg/args are properly sanitized, and so this is a problem. Also they're one of the first to roll out a fix, so this made more noise. In comparison, other languages just updated the documentation to say "you're on your own LOL" and we all know nobody is going to ignore those warnings right? Also, the issue was first yt-dlp where it is actually exploitable (note that it is written in python and doesn't use Rust's command, it just the same wrong sanitization assumptions problem)

10/10 should mean nation-states are getting worried about the vulnerability/repercusions of it. Something that puts the biggest companies, institutions and infrastructure in serious risk if immidiate action is not taken. XZ had the potential to be that, but because of the fortunate timing I don’t think even it deserves the 10/10 rating. That, or we need another scale that accurate accounts for the actual worst case scenarios in our tech-dependent society. Unless the banks have started handling transactions on rust-software running on windows, I can’t possibly see how this should be in the same category as those scenarios.

Why not refer the input and trim shell args before acting on the string

Talk about edge cases. This is something that can be done in many languages. However, it's always a good idea to have the args tokenized into a list instead of a raw string. That API should be fixed.

I'm just expecting the CVE ratings to soon do spinal top and go 11 out of 10

If this CVE is a 10/10, then a hypothetical CVE that allows unauth-RCE on Windows, without using a batch file, without using Rust, without the user doing a thing should be 11/10 or maybe 12/10

I was puzzled if there was something here I just didn't get after reading about the vulnerability, but it seems like you ended up at the same place as I did. Just a sanitizer function not working as advertised

Golden shower for Rust.

How is the command ran? How is a new process spawned? In Linux I would expect this kind of functionality to be implemented with fork and exec sys calls, the "arg" never touches a shell and is passed directly to the executed command as a list of strings. No sanitation necessary (as far as shell command injection is concerned).

The injected commands are run with the same privileges as the rust binary, correct? So for a hacker to gain anything from this vulnerability either there needs to be a rust binary that both runs with admin privileges and has this vulnerability or that the vulnerable rust program gets the command arguments from somewhere else that is controlled by the hacker. So only some rust programs that use the Command function in a specific way are vulnerable and not every Windows machine that runs any rust code as the article title and the CVE score make it seem.

@Yawhatnever

Ай бұрын

You don't need admin privileges to steal information. You could yoink the database password, dump the entire DB, or do any of a thousand other things. Attackers can be pretty creative.

PHP is shaking on its knees now.

I still don't understand how this is remotely triggerable? Does that assume something like a web app would accept user input and pass it to this function?

@wodxgod

Ай бұрын

yes

@Raaampage

Ай бұрын

Yes I don't really get a practical use of this either.

@Knirin

Ай бұрын

Almost every web app that controls a virtual machine, process, or piece of industrial hardware does exactly that.

@sas408

Ай бұрын

@@Knirin they use .bat files? On Linux?

@Knirin

Ай бұрын

@@sas408 shell scripts and bat files are the same concept. I was more referring to the number of things like cpanel and cockpit that directly call other executables with user input.

Hey man, probably you get this boring question all the time, but what is the vim colorscheme in this video, resembles solarized but it is not for sure. Btw, great content. Thanks in advance!

As I understand, the severity of this vulnerability is contingent on the existence of one or more applications written in Rust, who can take input from random users across the internet and use that input as an argument of Command with the implied assumption that sanitization is part of the contract of the function... if such applications exist and are widespread, then it is 10/10. Otherwise it's just purely theoretical.

Running a command and it has command injection 🤯🤯🤯 10/10 vulnurability.

By that CVE's argument, shouldn't what you showed in the beginning in C also be a 10/10 critical vulnerability? OMG, stdlib's system() function is BROKEN!!!!!!

@Comeyd

Ай бұрын

Indeed! that's what is ridiculous about it. It's a silly "proof of concept" of which there is no "solution" that can be implemented to "protect" Rust from this "exploit." The real issue is the "developer" trusted user input! Huge mistake!

@Jason9637

Ай бұрын

The first example is clearly unsanitized, however rust's std library said that arguments were passed directly to the program and so special chars didn't do anything. It was just recently updated to mention that Windows has weirdness with argument encoding that it can cause issues with unsafe input.

@Comeyd

Ай бұрын

@@Jason9637 The docs said it wasn't evaluated by a shell, they are passed directly to the "command" being invoked. You still need to be aware of what the "command" is actually doing though!

@arthurmoore9488

Ай бұрын

@@Comeyd The docs need something like "unless the command being invoked is a shell (duh)" and "the command being invoked for shell scripts is a shell (obviously)".

@peter9477

Ай бұрын

At this point, merely using C is basically a 10/10.

Hey man, been watching your videos for a long time now, wanted to give a constructive idea for your intro: These days you're starting with "Hi, my name is LowLevelLearning and " which I think is the right idea to draw in new viewers and grow the channel. I just think a different wording would make it even stronger in the direction of: "Hi, my name is , this is LowLevelLearning where we ." I find this more approachable personally and I feel this more clearly introduces you as a person as well as the reason why you're running this channel. It's your baby of course and your call, just wanted to share this thought since I had it a few times now when watching your videos! Cheers, thanks for always fun and informative content!

I'm pretty sure the xz backdoor also got a 10.0 score lol

This is actually a brilliant ploy by the Rust Foundation to usher in the Year of the Linux Desktop. More 10/10 Windows CVEs please

How is this even a bug in Rust? That's a Windows issue.