Arbitrary Code Execution
   HOME

TheInfoList



OR:

In
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).


Vulnerability types

There are a number of classes of vulnerability that can lead to an attacker's ability to execute arbitrary commands or code. For example: * Memory safety vulnerabilities such as
buffer overflows In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory ...
or over-reads. * Deserialization vulnerabilities * Type confusion vulnerabilities * GNU LDD arbitrary code execution


Methods

Arbitrary code execution is commonly achieved through control over the instruction pointer (such as a jump or a
branch A branch, sometimes called a ramus in botany, is a woody structural member connected to the central trunk of a tree (or sometimes a shrub). Large branches are known as boughs and small branches are known as twigs. The term '' twig'' usuall ...
) of a running process. The instruction pointer points to the next instruction in the process that will be executed. Control over the value of the instruction pointer therefore gives control over which instruction is executed next. In order to execute arbitrary code, many exploits inject code into the process (for example by sending input to it which gets stored in an input buffer in RAM) and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed. This type of attack exploits the fact that most computers (which use a
Von Neumann architecture The von Neumann architecture — also known as the von Neumann model or Princeton architecture — is a computer architecture based on a 1945 description by John von Neumann, and by others, in the '' First Draft of a Report on the EDVAC''. T ...
) do not make a general distinction between code and data, so that malicious code can be camouflaged as harmless input data. Many newer CPUs have mechanisms to make this harder, such as a no-execute bit.


Combining with privilege escalation

On its own, an arbitrary code execution exploit will give the attacker the same privileges as the target process that is vulnerable. For example, if exploiting a flaw in a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
, an attacker could act as the user, performing actions such as modifying personal computer files or accessing banking information, but would not be able to perform system-level actions (unless the user in question also had that access). To work around this, once an attacker can execute arbitrary code on a target, there is often an attempt at a
privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
exploit in order to gain additional control. This may involve the kernel itself or an account such as Administrator, SYSTEM, or root. With or without this enhanced control, exploits have the potential to do severe damage or turn the computer into a
zombie A zombie ( Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in w ...
—but privilege escalation helps with hiding the attack from the legitimate administrator of the system.


Examples

Retrogaming Retrogaming, also known as classic gaming and old school gaming, is the current playing and collection of obsolete personal computers, consoles, and video games. Usually, retrogaming is based upon systems that are outmoded or discontinued, alt ...
hobbyists have managed to find vulnerabilities in classic video games that allow them to execute arbitrary code, usually using a precise sequence of button inputs in a
tool-assisted superplay A tool-assisted speedrun, or tool-assisted superplay (TAS ), is generally defined as speedrunning an emulated game. During development of the speedrun, the framerate is slowed down to allow precise inputs to be done with ease. Splicing, the action ...
to cause a buffer overflow, allowing them to write to protected memory. At Awesome Games Done Quick 2014, a group of
speedrunning Speedrunning is the act of playing a video game, or section of a video game, with the goal of completing it as fast as possible. Speedrunning often involves following planned routes, which may incorporate sequence breaking and can exploit gl ...
enthusiasts managed to code and run versions of the games '' Pong'' and ''
Snake Snakes are elongated, limbless, carnivorous reptiles of the suborder Serpentes . Like all other squamates, snakes are ectothermic, amniote vertebrates covered in overlapping scales. Many species of snakes have skulls with several more ...
'' in a copy of '' Super Mario World'' by utilizing a buffer overflow to write arbitrary code to
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remember ...
. On June 12, 2018, security researcher Jean-Yves Avenard of
Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, ...
discovered an ACE vulnerability in
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...
. On May 1, 2018, a security researcher discovered an ACE vulnerability in the
7-Zip 7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is developed by Igor Pavlov and was first released in 1999. 7-Zip has its own archive format called 7z, ...
file archiver A file archiver is a computer program that combines a number of files together into one archive file, or a series of archive files, for easier transportation or storage. File archivers may employ lossless data compression in their archive formats ...
.
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...
has been the subject of numerous ACE vulnerabilities. On December 9, 2021, a RCE vulnerability called "
Log4Shell Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Found ...
" was discovered in popular
logging Logging is the process of cutting, processing, and moving trees to a location for transport. It may include skidding, on-site processing, and loading of trees or logs onto trucks or skeleton cars. Logging is the beginning of a supply chain ...
framework
Log4j Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. Gülcü has since c ...
, affecting many services including
iCloud iCloud is a Personal cloud, cloud service from Apple Inc. launched on October 12, 2011 as a successor to MobileMe. , the service had an estimated 850 million users, up from 782 million users in 2016. iCloud enables users to sync their data to t ...
, '' Minecraft: Java Edition'' and
Steam Steam is a substance containing water in the gas phase, and sometimes also an aerosol of liquid water droplets, or air. This may occur due to evaporation or due to boiling, where heat is applied until water reaches the enthalpy of vaporization ...
, and characterized as "the single biggest, most critical vulnerability of the last decade".


See also

*
BlueKeep (security vulnerability) BlueKeep () is a Vulnerability (computing), security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution. First reported in May 2019, it is pr ...
* Follina (security vulnerability)


References

{{DEFAULTSORT:Arbitrary Code Execution Injection exploits