Remote Code Execution (RCE) Attack: Definition, Examples, and Protection
Risk Factors
Likelihood
Complexity
Business Impact
What Is Remote Code Execution?
Remote code execution (RCE), also known as code injection or remote code evaluation, is a technique to exploit an application's input validation flaws to execute malicious code over a network. Specifically, it is an arbitrary code execution (ACE) attack done remotely.
RCE vulnerabilities occur when an application fails to validate and sanitize user input or dynamic evaluation calls. Without strict input validation, an interpreter cannot differentiate valid inputs from malicious commands, leading it to execute all commands within the code.
This injection of code is what separates RCE from command injection vulnerabilities, where a threat actor executes arbitrary commands on the host operating system instead of the application.
RCE is often found at the end of a long chain of exploits such as server-side request forgery and obfuscation. It is the end game, the final step in a wide range of attacks, from ransomware to crypto mining to data theft. As such, many RCE vulnerabilities are rated by the National Institute of Standards and Technology (NIST) as high or critical threats due to their severe impact on an application's integrity, confidentiality, and availability.
Indeed, some of the most widespread and damaging threats in the last decade exploit RCE at their core—Log4Shell, WannaCry, Tesla Crypt—just to name a few. And of the 15 most routinely exploited vulnerabilities rated by the Cybersecurity & Infrastructure Security Agency (CISA) in 2021, nine out of 15 are RCEs.
Examples of Remote Code Execution
Buffer overflow
A threat actor could overflow a memory buffer using a simple string-copying or print function, which works because the function didn't check the buffer length before executing it. The attacker then overwrites the return address and points it to a shellcode in the buffer, causing the shellcode to be executed in place of the regular program. The attacker gains a command shell running as root, effectively taking over the system.
Deserialization (format string attack)
Many applications have formatting functions that transform user input from one form to another. A threat actor could exploit this behavior by adding special characters (e.g., %x, %%) into the input string to append malicious code. The code is executed without issue because the app does not validate the user input. Now, the threat actor is in and can wreak havoc on the target network.
SQL injection
Many websites retrieve content dynamically from databases using URL query strings. On a particularly vulnerable e-commerce site with a SQL database, a threat actor could craft a query with the right requests (e.g., SELECT, UNION) to fetch sensitive information such as admin usernames and passwords from the database. Inside the admin panel, the attacker could upload a PHP script through the profile picture upload function to eventually gain a command shell.
Protection Against Remote Code Execution
Three key actions can significantly reduce your exposure to RCE attacks.
First, sanitize and validate inputs. Start with a comprehensive scan of your application using a static code checking tool to uncover vulnerabilities, then implement safeguards around user input like whitelisting expected values and escaping special symbols. Disallow dynamic evaluation constructs altogether and use one of the many safe alternatives to reading strings as code (e.g., call function, call static method, call instance method of object).
Second, establish a patch management process. Because many RCE attacks stem from zero-day vulnerabilities, patching may be the most effective and fastest way to nullify an RCE threat. For example, a fast-evolving vulnerability such as Log4Shell required at least four patches from multiple vendors within a month as new vulnerabilities were discovered. In this environment, a standardized, automated process for keeping your systems up to date will go a long way in keeping your organization safe.
Finally, use a network detection and response solution to monitor both east-west and north-south traffic. Having this last line of defense will allow you to detect and mitigate zero-day RCE vulnerabilities and any malicious behavior within your network such as unexpected user logins, database enumeration, network scanning, and more.
History of Remote Code Execution
Remote code execution is one of the oldest and most popular vectors for malware to propagate and remains one of the most dangerous vulnerabilities on the threat landscape today.
It's been on the CWE/SANS Top 25 Most Dangerous Programming Errors list since its inception in 2009, coming in at number 25 in 2022. RCE attacks also rank highly on the OWASP Top 10, which is an annual list of web application threats compiled by the Open Web Application Security Project (OWASP). It was third on the list in 2021.
Though it may not be easy to discover an RCE vulnerability, they can spread with incredible speed due to the relatively low level of skill required to exploit them. The Log4Shell vulnerability found in December 2021 is a good reminder of just how damaging RCE can be.