Pulse of Truth

1472 readers

69 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago

MODERATORS

krogoth

Critical Rust flaw enables Windows command injection attacks (www.bleepingcomputer.com)

submitted 1 year ago by lemmydev2 to c/pulse_of_truth

2 comments fedilink hide all child comments

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. [...]

you are viewing a single comment's thread
view the rest of the comments

[–] SteveTech@programming.dev 3 points 1 year ago (1 children)

I'm not sure why everyone's focusing in on Rust, this seems like a general Windows issue to me, thus affecting most major languages.

Original Report: BatBadBut: You can't securely execute commands on Windows

[–] PlexSheep 2 points 1 year ago* (last edited 1 year ago)

Yeah it seems weirdly specific. Also, if you pass user input to command args directly, you are asking for trouble.

"An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected."

According to the article the following other langs are affected:

Erlang (documentation update)
Go (documentation update)
Haskell (patch available)
Java (won’t fix)
Node.js (patch will be available)
PHP (patch will be available)
Python (documentation update)
Ruby (documentation update)

Seems like most languages don't even treat this as a real security vulnerability?