CVE-2024-24576 Detection: Hackers Exploit a Maximum Severity “BatBadBut” Rust Vulnerability to Target Windows Users

[post-views]
April 15, 2024 · 4 min read
CVE-2024-24576 Detection: Hackers Exploit a Maximum Severity “BatBadBut” Rust Vulnerability to Target Windows Users

A new maximum severity vulnerability has been discovered in the Rust standard library. This vulnerability poses a serious threat to Windows users by enabling potential command injection attacks. The flaw tracked as CVE-2024-24576 specifically affects situations where batch files on Windows are executed with untrusted arguments. With the PoC code already publicly released, successful exploitation of the identified vulnerability increases the risks of in-the-wild attacks.

Detect CVE-2024-24576 Exploitation Attempts

Detection of Vulnerability Exploitation has remained among the top cybersecurity use cases for the last couple of years in view of the number of emerging flaws growing exponentially. To help security professionals spot potential exploitation attempts on time and defend proactively, SOC Prime Platform aggregates 300K+ curated detection algorithms accompanied by advanced solutions for threat hunting and detection engineering. Our global rules feed for the latest attackers’ TTPs provides detections for the latest threats with 24-hour SLA, ensuring security experts are armed to withstand intrusions on time. 

To help cyber defenders spot the malicious activity associated with CVE-2024-24576 exploitation, Threat Detection Marketplace offers a curated Sigma rule by our keen Threat Bounty developer Emir Erdogan:

Highly Possible Exploitation Command Injection Attacks By Using Rust Vulnerability (CVE-2024-24576)

The rule above helps detect Windows command injection attacks via the Rust programming language via process_creation logs. The detection is compatible with 28+ SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework v14.1. Additionally, the Sigma rule is enriched with extensive threat intel and metadata to streamline threat investigation.

Eager to develop your detection engineering skills and contribute to collective cyber defense while earning money for your input? Become a member of SOC Prime’s Threat Bounty Program to train your detection coding skills, advance your engineering career, and code your CV while enriching industry expertise and earning financial perks for your input. 

To boost threat hunting efficiency and secure organizational infrastructure, cyber defenders can dive into the entire detection stack aimed at vulnerability exploit detection. Hit the Explore Detections button below and drill down to the extensive collections of Sigma rules enriched with relevant metadata. Specifically, rules are accompanied by CTI links, ATT&CK references, triage recommendations, attack timelines, and more.

Explore Detections

CVE-2024-24576 Analysis

The Rust standard library includes the Command API for executing Windows batch files among its common functions. A recent advisory from the Rust Security Response Working Group highlighted that the function lacked robust input processing, which opens the door for potential code injection during execution. According to an advisory, attackers can potentially manipulate the arguments supplied to the spawned process and run unauthorized shell commands by circumventing the escaping mechanism. This Rust vulnerability is identified as CVE-2024-24576  and reaches a maximum severity level (CVSS score 10.0), particularly in use cases when invoking batch files with the .bat and .cmd extensions on Windows via the Command API.

CVE-2024-24576, dubbed BatBadBut, was unveiled and reported by security researcher RyotaK to the CERT/CC. Notably, the flaw impacts multiple programming languages unless they properly parse the arguments sent to the Windows batch process. It occurs when a programming language wraps the CreateProcess function in Windows and incorporates an escaping mechanism for the command arguments. The full extent of CVE-2024-24576 impact relies on how the vulnerable programming language or module is implemented. Different implementations may lead to varying degrees of exploitation and potential security risks.

The impact of CVE extends to all Rust versions prior to 1.77.2 on Windows devices provided that code or any dependencies execute batch files with untrusted arguments. Still, the flaw doesn’t affect other platforms or different uses on Windows.

As CVE-2024-24576 mitigation measures, the vendor strongly recommends updating the standard library to the Rust 1.77.2 version that includes a patch for the critical flaw. As another option for minimizing exploitation risks, CERT/CC in the related advisory also recommends implementing proper escaping and data neutralization to prevent potential command execution in case the user application’s runtime lacks a patch for this vulnerability.

With the PoC code publicly available on GitHub, the risks of this Rust vulnerability exploitation in the wild are rising dramatically, which requires ultra-responsiveness from defenders. Sign up for SOC Prime Platform to continuously stay updated on critical CVEs and emerging threats most challenging your business while elevating your defenses at scale. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts