Published On Apr 19, 2024
Critical! ... or is it?
CVE-2024-24576 is a freshly reported 10/10 critical CVE affecting Rust, Python, and many other programming languages on Windows that, if exploited, can allow a malicious user to execute arbitrary code as the current user. The 10/10 rating is the worst severity that can be given to a CVE. However, of 9 affected programming languages, 5 have chosen to either not fix the CVE or fix it only by updating their documentation. Let's take a look at this vulnerability, which appears to take advantage of programming languages improperly escaping arguments while creating sub-processes, understand how it's performed, and see why so many languages are choosing not to fix it.
― mCoding with James Murphy (https://mcoding.io)
Source code: https://github.com/mCodingLLC/VideosS...
Python discussion: https://discuss.python.org/t/is-pytho...
NIST CVE details: https://nvd.nist.gov/vuln/detail/CVE-...
Rust advisory: https://blog.rust-lang.org/2024/04/09...
Subprocess docs: https://docs.python.org/3/library/sub...
Subprocess source: https://github.com/python/cpython/blo...
CreateProcessW docs: https://learn.microsoft.com/en-us/win...
Security researcher blog post: https://flatt.tech/research/posts/bat...
SUPPORT ME ⭐
---------------------------------------------------
Sign up on Patreon to get your donor role and early access to videos!
/ mcoding
Feeling generous but don't have a Patreon? Donate via PayPal! (No sign up needed.)
https://www.paypal.com/donate/?hosted...
Want to donate crypto? Check out the rest of my supported donations on my website!
https://mcoding.io/donate
Top patrons and donors: Jameson, Laura M, Dragos C, Vahnekie, Neel R, Matt R, Johan A, Casey G, Mark M, Mutual Information, Pi
BE ACTIVE IN MY COMMUNITY 😄
---------------------------------------------------
Discord: / discord
Github: https://github.com/mCodingLLC/
Reddit: / mcoding
Facebook: / james.mcoding
CHAPTERS
---------------------------------------------------
0:00 Intro
1:43 How it happens
3:21 Subprocesses and shell=True
5:24 The CVE doesn't use shell=True
6:23 Diving into the subprocess module
7:31 The meaning of running a batch file
8:42 A compromise fix
