Remote Code Execution (RCE) allows attackers to execute malicious code on systems and devices, regardless of their location. Here’s what you need to know about this attack, how it works, and how to prevent it.
Also known as remote code evaluation, RCE is part of the broader group of arbitrary code execution (ACE) attacks. It is a way to remotely inject and execute code in a target machine or system using the internet, local (LAN), or wide area networks (WAN). This code can gain access to a web server or application, completely control or compromise it, open backdoors, seize, modify or destroy data, install ransomware, etc.
This attack exploits the possibility of executable code being injected into a string or file and executed or evaluated. This can be due to user input not being validated and allowed to pass through the parser of the programming language – a situation often not intended by developers. Injected code is usually in the programming language of the targeted application. Such languages may include PHP, Java, Python, Ruby, etc.
Depending on the flaw that attackers exploit, they will typically acquire those privileges granted by the process they are targeting upon executing the code. For example, if attackers inject code as a user, they will seize user privileges.
For this reason, RCE is frequently followed by attempts to escalate privileges and gain control on an administrative or root level. Unfortunately, such elevated privilege also allows attackers to hide the attack more skillfully. Yet even without more extraordinary privilege, the remote code execution vulnerability has the potential to cause serious harm.
Some other types of remote code execution include CVE-2021-21972.
Impact of the RCE attack
The impact of a remote code execution attack can vary between simply gaining access to an application and entirely taking it over. Some of the main types of results of an RCE attack include:
- Access to an application or server: initially, attackers have access to functions in the vulnerable application due to a vulnerability. They can use this to inject and run the underlying web server commands.
- Privilege escalation: gaining access to the webserver and executing commands means that attackers may be able to achieve greater privileges and control over the server. This is particularly dangerous if internal vulnerabilities on the server level are present.
- Access to data: using an RCE vulnerability, attackers can gain access to and steal data stored on the server.
- Denial of service: attackers can disrupt and crash the whole service and other services hosted on the server by executing specific commands.
- Ransomware and cryptomining: installing various types of malware is also a possibility if code can be executed on the server. Such malware could be crypto mining or cryptojacking software that uses the server’s resources to mine cryptocurrency. The remote code execution vulnerability also opens the door to ransomware and having the whole server taken over and held hostage.
These are only some of the possible impacts of an RCE attack. Depending on the case’s specifics and the presence of other vulnerabilities, hostile parties may be able to inflict further damage, making this attack highly dangerous.
How does remote code execution work
There are different ways of performing a remote code execution because it can target different layers of a server.
A common way of executing an RCE is through injecting code and gaining control over the instruction pointer. This allows an attacker to point toward executing the following instruction/process. Code can be injected in different ways and places, but attackers must “point” toward the injected code to be executed once this is the case. The code itself may be in the form of a command, a script, or something else.
The above, in essence, is how an RCE attack is performed. The type of attack, its attack vector, and how precisely it is executed may differ. For the most common RCE attack types, see below!
Remote code execution attack types
These are the most common remote code execution attacks and their basic scenarios.
This type of vulnerability is when an object, resource, or variable is allocated using one type but is then accessed using another different from the initial one. This results in a bug and logical errors due to the mismatch in the type and properties of the accessed resource.
Attackers exploit this vulnerability by including code in an object allocated with one pointer but read with another. The result is that the second pointer triggers the injected code.
For example, an SQL injection can be due to type confusion in some cases.
Тo transfer pieces of data over a network, it is serialized – i.e., converted into binary. Then, it is deserialized and converted back into an object to be used at its destination.
By formatting user input in a particular way, attackers can create an object turned into executable dynamic code once it is deserialized.
Buffer overflow and buffer over-read
Buffer overflow is also known as out-of-bounds write and buffer overrun. Together with buffer over-read, it refers to memory safety vulnerabilities related to the memory partition known as a buffer. The purpose of a buffer is to temporarily store data while it is moved from one place to another.
An application frequently uses buffer memory for data storage, including user-provided data. With buffer overflow, an attacker will rely on flawed memory allocation due to, for example, the lack of bounds-checking measures. This can result in data being written outside the buffer’s bounds and overwriting memory in adjacent buffer partitions.
Such overwriting can damage or destroy important data, cause a crash, or lead to an RCE triggered through the use of an instruction pointer security vulnerability. This can be tied to the buffer over-read scenario in which the reading of data goes beyond a buffer’s boundaries and into memory stored in adjacent partitions.
RCE attack examples
Some of the most significant and most dangerous vulnerabilities and the attacks they have enabled have involved using RCE.
Log4J RCE vulnerability
Log4Shell (CVE-2021-44228) is a remote code execution vulnerability in Log4j, a popular Java logging framework estimated to affect millions of devices worldwide. It has been called “the single biggest, most critical vulnerability ever.” While it existed since 2013, it became known in November 2021 and was publicly disclosed in December of that year.
The vulnerability allows users to execute arbitrary Java code on servers, opening the door for crypto mining, creating botnets, and injecting ransomware.
WannaCry is a ransomware cryptoworm attack that used an RCE exploit called EternalBlue, which, in turn, allowed it to deploy the DoublePulsar tool to install and execute itself. The attack targeted Microsoft Windows systems. After installation, the worm encrypts data, and attackers demand ransom.
EternalBlue targeted a security vulnerability in Microsoft’s Server Message Block (SMB) protocol. This vulnerability allowed attackers to inject and remotely execute code.
These are only two of the most famous RCE vulnerabilities and their enabled attacks. The Common Vulnerabilities and Exposures (CVE) system regularly lists new entries of vulnerabilities that carry the potential for an RCE attack.
How to detect and prevent remote code execution
RCE attacks constitute a severe threat because they can involve a host of approaches and exploit many different vulnerabilities. Moreover, new vulnerabilities constantly appear, making it challenging to prepare thoroughly. However, there are several measures that you can take to both detect and prevent RCE attacks.
Regular security updates
Organizations frequently fail to act on the latest threat intelligence and apply patches and updates on time. Attackers will, therefore, usually attempt to target old vulnerabilities as well. Implementing security updates to your system and software as soon as they are made available is highly effective in deterring many attackers.
Monitor network traffic and endpoints to spot suspicious content and block exploitation attempts. This can be done by implementing some form of network security solution or threat detection software.
Input sanitization and access control
Adopt a zero-trust approach and always sanitize user input before using it. A thorough process of sanitization includes whitelists, blacklists, and escape sanitization. This will help filter out many code injection and deserialization attempts. In addition, network segmentation can help limit the impact of any code that does get through.
Also, if possible, avoid using code evaluation functions and do not allow users to edit any content that has been parsed.
Implement buffer overflow protection and other forms of memory management to avoid giving rise to vulnerabilities that are easy to exploit. Such protection will, for example, terminate the execution of a program when a buffer overflows, effectively disabling the possibility for malicious code to be executed. Bounds checking and tagging are other protection techniques that can be implemented to stop buffer overflow.
What is a remote code execution attack?
An RCE attack consists of injecting and executing malicious code in a system through the use of a vulnerability on some level of the system. This allows attackers to perform commands in the system, steal, damage, encrypt data, and more.
How dangerous is an RCE attack?
The impact of an RCE attack can be significant, depending on the vulnerability it has exploited. At a minimum, successful remote code execution will grant access to a system and its data. At a maximum, it can lead to a complete system compromise and takeover.