Critical! ... or is it?

CVE202424576 is a freshly reported 10/10 critical CVE affecting Rust, Python, and many other programming languages on Windows that, if exploited, can allow a malicious user to execute arbitrary code as the current user. The 10/10 rating is the worst severity that can be given to a CVE. However, of 9 affected programming languages, 5 have chosen to either not fix the CVE or fix it only by updating their documentation. Let's take a look at this vulnerability, which appears to take advantage of programming languages improperly escaping arguments while creating subprocesses, understand how it's performed, and see why so many languages are choosing not to fix it.

― mCoding with James Murphy (https://mcoding.io)

Source code: https://github.com/mCodingLLC/VideosS...
Python discussion: https://discuss.python.org/t/ispytho...
NIST CVE details: https://nvd.nist.gov/vuln/detail/CVE...
Rust advisory: https://blog.rustlang.org/2024/04/09...
Subprocess docs: https://docs.python.org/3/library/sub...
Subprocess source: https://github.com/python/cpython/blo...
CreateProcessW docs: https://learn.microsoft.com/enus/win...
Security researcher blog post: https://flatt.tech/research/posts/bat...

SUPPORT ME ⭐

Sign up on Patreon to get your donor role and early access to videos!
  / mcoding  

Feeling generous but don't have a Patreon? Donate via PayPal! (No sign up needed.)
https://www.paypal.com/donate/?hosted...

Want to donate crypto? Check out the rest of my supported donations on my website!
https://mcoding.io/donate

Top patrons and donors: Jameson, Laura M, Dragos C, Vahnekie, Neel R, Matt R, Johan A, Casey G, Mark M, Mutual Information, Pi

BE ACTIVE IN MY COMMUNITY

Discord:   / discord  
Github: https://github.com/mCodingLLC/
Reddit:   / mcoding  
Facebook:   / james.mcoding  

CHAPTERS

0:00 Intro
1:43 How it happens
3:21 Subprocesses and shell=True
5:24 The CVE doesn't use shell=True
6:23 Diving into the subprocess module
7:31 The meaning of running a batch file
8:42 A compromise fix