Remote Code Execution (RCE) Explained in Detail

Attackers use remote code execution as a way to gain unauthorized access, perform data breaches, disrupt services, and deploy malware. Let’s dive deep into remote code execution and its prevention techniques.

What is Remote Code Execution?

Remote Code Execution (RCE) is a method that allows threat actors and attackers to gain unauthorized access to devices and launch attacks from a remote location. With RCE, hackers can infiltrate their target's systems without needing physical access to the networks or devices.

RCE vulnerabilities fall under arbitrary code execution (ACE), which encompasses a range of vulnerabilities enabling attackers to execute unauthorized code and take control of targeted systems.

How does remote code execution work?

Here’s how RCE attacks work, step by step:

1. Vulnerability identification. The attacker looks for security vulnerabilities in the target system, such as flaws in the application code, misconfigurations, or outdated software versions.
2. Exploitation. Once a vulnerability is identified, the attacker crafts a payload to exploit the vulnerability and executes the payload code on the target system.
3. Delivery. The attacker delivers the payload to the target system by sending a malicious email attachment, tricking a user into visiting a compromised website or exploiting network services.
4. Code execution. When the target system processes the payload, the vulnerability is triggered, and the attacker's code is executed. This allows the attacker to steal sensitive data, modify or delete files, install backdoors for persistent access (APTs), or launch further attacks.

Examples of RCE attacks

WannaCry. In 2017, WannaCry spread autonomously, encrypting files and demanding ransom. Many systems affected by WannaCry hadn't been properly updated. In early 2021, many companies were affected by WannaCry because the attack quickly spread to other computers on a network.

Log4J. Log4J is used to keep a record of things that happen on a computer system, like errors or routine operations. It helps system administrators know what's going on. In December 2021, Log4J's feature allowing code injection into log messages was exploited by hackers to remotely control computers.

Types of RCE attacks

Let’s now look at the 3 types of remote code execution attacks.

Injection-based attacks

Attackers inject malicious code or commands into a target system through:

• SQL injection
• OS command injection
• Remote file inclusion

Deserialization attacks

Exploit vulnerabilities in the deserialization process of an application. Attackers manipulate serialized data to execute malicious code during deserialization.

Out-of-bounds write

This occurs when an attacker writes data beyond the boundaries of a memory buffer or data structure. It allows them to modify critical data, control program flow, and execute arbitrary code.

(Learn how to detect RCEs with the Splunk Threat Research Team.)

RCE threats & the impact on your organization

RCE vulnerabilities can have significant impacts on organizations, ranging from financial losses to reputational damage and compromised data security. Here are some key impacts:

Unauthorized access

Attackers execute arbitrary code on a remote system and gain unauthorized access to the target organization's network, servers, or applications. Once they get access, they can:

• Fetch or manipulate valuable data.
• Expose sensitive customer data, intellectual property, or financial records.

Data breaches

RCE vulnerabilities result in data breaches where sensitive information is accessed, stolen, or tampered with. Depending on the compromised data, organizations can face:

• Legal repercussions
• Financial penalties
• Loss of customer and industry trust

Service disruption

Attackers disrupt critical services or applications by executing malicious code to crash systems, causing downtime and interruptions in business operations. This leads to:

• Financial losses
• Productivity issues
• Customer dissatisfaction

(Downtime costs a lot. Find out how much.)

Denial of Service (DoS) attacks

Attackers can misuse RCE to launch a denial-of-service attack, rendering the system unresponsive and resulting in:

• Disrupted online services or websites
• Inconvenience and financial losses
• Reputational damage

Cryptomining

Attackers can deploy malicious code on the compromised system to run cryptomining software without the owner's consent, leading to:

• Increased power consumption
• Slowed system performance
• Higher operational costs
• Potential hardware damage

Ransomware

Ransomware encrypts files on a targeted system and demands a ransom for their decryption. Attackers gain control through RCE, initiate the ransomware attack, and ask for a ransom payment.

Last year, Splunk security research team SURGe wanted to know the answer to: “How long do you have before ransomware encrypts your systems?” The answer: faster than you think. Read the blog or the full research.

Widespread RCE vulnerabilities

Now let’s look at some CVEs that relied on remote code execution. The Common Vulnerabilities and Exposures (CVE) is a publicly available listing of frequently occurring vulnerabilities and exposures.

CVE-2021-44228 (Log4Shell or Log4j)

CVE-2021-44228 allows RCE attacks when the library is used with a certain configuration. Exploited by sending a crafted log message to a vulnerable server. Update to the latest patched version (2.15.0 or later).

(See Splunk’s response to Log4j.)

CVE-2021-1844

Discovered in the Windows Win32k component. It is an elevation of privilege vulnerability that could be exploited to execute arbitrary code in kernel mode. Ensure Windows systems are updated with the latest patches.

CVE-2020-17051

Affects Windows Hyper-V, a virtualization feature in Microsoft Windows. Allows an authenticated attacker to execute arbitrary code on the host operating system. Ensure Windows systems are updated with the latest patches.

CVE-2019-8942

Found in WordPress, a popular content management system. It affects the Easy WP SMTP plugin, allowing unauthenticated attackers to execute arbitrary code by injecting malicious PHP code.

(Learn more about these vulnerabilities.)

Detecting & mitigating RCE attacks

To mitigate RCE attacks, implement the following techniques:

• Input Validation and Sanitization: Ensure user-supplied data is validated and sanitized before processing.
• Secure configuration: Disable unnecessary features and services. Keep software libraries, frameworks, and platforms updated.
• Runtime Application Self-Protection (RASP): Use RASP tools to monitor application behavior and prevent abnormal or malicious activities.
• Intrusion Detection and Prevention Systems: Monitor network traffic and detect potential RCE attacks. With IDP tools, you can analyze patterns and signatures of known RCE exploits and raise alerts or take preventive actions.
• Apply security patches & updates: Regularly update operating systems, software applications, libraries, and frameworks.
• Access control policies: Review and update access control policies, conduct audits, and monitor user access.
• Buffer overflow prevention: Implement secure coding practices and input validation.

(Related reading: the many types of IT monitoring.)

Best practices for preventing RCE

Here’s how you can prevent your organization from RCE attacks:

1. Update software and patching vulnerabilities. Regularly update software and apply patches to fix security vulnerabilities, reducing the risk of exploitation by attackers.
2. Follow secure coding practices. Implement secure coding practices such as input validation, sanitization, and error handling to minimize the introduction of vulnerabilities during development.
3. Implement the Principle of Least Privilege. Grant users and systems the minimum level of access necessary to perform their functions, reducing the potential damage from compromised accounts.
4. Deploy IDPs and WAF solutions. Use intrusion detection systems (ISDs) and intrusion prevention systems (IPSs) to monitor network traffic for suspicious activities and Web Application Firewalls (WAFs) to protect web applications by filtering and monitoring HTTP traffic.
5. Conduct security testing & code audits. Perform regular security testing and code audits, including penetration testing, code reviews, and automated scanning, to proactively identify and fix vulnerabilities.
6. Allow listing and blocklisting. Control which applications and processes can execute on your systems by creating allowlists (permitting known, safe applications) and blocklists (blocking known, malicious applications).
7. Penetration testing. Regularly perform penetration tests to identify and rectify vulnerabilities before attackers can exploit them.
8. Inspect traffic. Inspect network traffic for signs of malicious activity, such as unusual data flows or communication with known malicious IP addresses.
9. Deploy firewalls. Deploy and configure firewalls to filter and monitor incoming and outgoing network traffic based on security rules, helping to block malicious traffic.

Preventing remote code execution

Remote code execution (RCE) attacks are a significant threat to organizations. They involve identifying vulnerabilities, exploiting them with crafted payloads, and executing the attacker's code. To protect against RCE attacks, prioritize the prevention techniques discussed in this article.