Remote Code Execution (RCE)

Remote code execution is a cyber-attack whereby an attacker can remotely execute commands on someone else’s computing device. Remote code executions (RCEs) usually occur due to malicious malware downloaded by the host and can happen regardless of the device’s geographic location. Remote Code Execution (RCE) is also referred to as Remote Code Evaluation. 

A remote control execution is a broad category of cyber attack technique. It allows a threat actor to execute this remote code on a target machine across the internet, wide area network (WAN), or local area network (LAN). For example, a threat actor in Ukraine could silently place malicious code on a targeted device in the United States. Additionally, RCE enables a threat actor to control a computer or server by executing malicious software. RCE can, of course, lead to the complete takeover of a targeted vulnerable application. 

Execution of an RCE attack sequence is pretty basic. First, the threat actor scans computers across the internet seeking known vulnerabilities that may support a successful attack. Once a targeted vulnerability is identified, the threat actor then performs the exploit to gain access. Now that they are in, they can execute the malicious code to reach their goals, including exfiltrating data, diverting funds, performing detailed surveillance, and disrupting service. 

Code is often injected using the language of the targeted application. The server-side interpreter then executes it for that language. Languages typically include Python, Java, Perl, Ruby, and PHP.  Applications that directly evaluate unvalidated input are usually vulnerable to code injection. It is the case that public web applications are a prime target for threat actors.

The execution of the malicious code is usually accomplished by using terminal commands or perhaps bash scripts. A bash script is a text file that contains commands that would typically be used on a command line. Bash scripts allow the included commands to behave as they would normally. They are generally appended with a “.sh,” but this is not required. Once a bash script is packaged up, the threat actor then loads the code into a vulnerable application that, in turn, executes it. Alternatively, the application may make a call to the kernel to get it executed.

WannaCry Remote Control Execution attack

There are some very well-known examples of remote control execution attacks. WannaCry is perhaps the most famous of recent vintage. Back in 2017, it became known that the WannaCry ransomware infected many thousands of computers worldwide. WannaCry utilized RCE to great advantage. Initially, a threat actor would identify SMB ports that could be compromised and use one of several spying tools allegedly attributed to the National Security Agency (NSA). 

One particular tool, “EternalBlue,” was able to, in turn, detect a vulnerability in Microsoft’s SMB protocol. The SMB protocol enables applications and their users to access files on remote servers and other resources. EternalBlue was named MS17-010 by Microsoft. However, EternalBlue only impacts Windows operating systems or anything that uses the SMB version 1 file-sharing protocol. 

Once the threat actor had successfully identified the SMB vulnerability, they would, in turn, use another allegedly NSA tool called DoublePulsar. DoublePulsar is allegedly an NSA hacking tool leaked online by The Shadow Brokers threat actors in 2017. DoublePulsar could be used to install the WannaCry ransomware on the targeted compromised machines. 

Before all was said and done, EternalBlue and DoublePulsar had enabled the compromise of approximately 150,000 computers and servers. Once a server was infected, it could, in turn, infect all of the client machines to which it connected.

Preventing RCE attacks

RCE attacks are challenging to prevent because the chain of execution to effect entry can vary widely. The key to minimizing the number of vulnerabilities in your environment is to move quickly to patch and update all of your software. Unfortunately, most attackers take a list of the most recently known vulnerabilities and happily exploit them, knowing full well that most organizations have not implemented the necessary updates and mitigation patches. Alternately, threat actors successfully leverage old vulnerabilities, which may be unpatched, even years later. 

Many best practices are well known today. Network traffic should be monitored for potentially malicious content in addition to monitoring endpoints. Web application firewalls (WAF) are particularly effective at providing this defense. However, WAF analysis may miss malicious threats and generate false-positive results. Threat detection software can also be essential in preventing RCE. Products like Snort can scan incoming traffic and detect suspicious behavior and intrusion attempts. Snort can also block a suspicious host upon detection. Snort is generally deployed in three ways: as a packet sniffer like tcpdump, as a packet logger often recommended for network traffic debugging, or as a full-featured network intrusion prevention system. Penetration testing focusing on detecting potential RCE attack vectors is also an essential and highly effective way to minimize RCE-based threats.

RCE attacks can also be prevented by implementing buffer overflow protection. Buffer overflow includes software in your servers that detect buffer overflows not to present readily accessible vulnerabilities. Buffer overflow changes data organization in the stack frame of a function call to include a “canary value.” When a stack buffer overflow destroys the canary value, it indicates that a buffer preceding it has been overflowed. This event enables the impacted program to be terminated so that a threat actor’s malicious code does not compromise it. 

Access control lists are also important to limit user permissions and, in turn, restrict the capabilities of a threat actor if they take over one of these user accounts.

Finally, user input must be sanitized. Consider the mantra of zero trust – any user input can contribute to an RCE attack and must be completely untrusted. Input sanitization involves the cleansing and scrubbing of user input to prevent it from exploiting security holes. Input sanitization provides validating, “cleaning,” and filtering data inputs from users, APIs, and web services. There are roughly three types of sanitizing processes used today. They include whitelisting (allow lists), blacklisting (disallow lists), and escape sanitizing. Allowlists only allow valid characters and code strings. Disallow lists help cleanse the input by eliminating characters that may be dangerous such as extra white spaces, tabs, tags, and line breaks. Escape sanitizing eliminates invalid data requests and strips out inputs such that they are not interpreted as code. 

We have a t-shirt that explains this remote code execution phenomenon quite succinctly.

How to prevent RCE? Try learning about Bugcrowd’s security platform:

What’s a Vulnerability Disclosure Program?

Why Every Company Should Have a Vulnerability Disclosure Program.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.