Request a Demo Contact Us
Bugcrowd Achieves Global CREST Accreditation For Pen Testing
Learn More

Remote Code Execution (RCE)

RCE definition and overview

  • Remote Code Execution (RCE) is a cyberattack where a threat actor remotely executes commands on a victim’s device.
  • It occurs through vulnerabilities exploited by malicious malware, irrespective of geographic location.
  • RCE allows attackers to control systems and potentially take over applications entirely.

Remote code execution attacks review

Remote code execution is a cyber-attack whereby an attacker can remotely execute commands on someone else’s computing device. Remote code executions (RCEs) usually occur due to malicious malware downloaded by the host and can happen regardless of the device’s geographic location. Remote Code Execution (RCE) is also referred to as Remote Code Evaluation. 

A remote code execution vulnerability is a broad category of cyber attack technique. It allows a threat actor to execute this remote code on a target machine across the internet, wide area network (WAN), or local area network (LAN). For example, a threat actor in Ukraine could silently place malicious code on a targeted device in the United States. Additionally, RCE enables a threat actor to control a computer or server through arbitrary code execution with malicious software. RCE can, of course, lead to the complete takeover of a targeted vulnerable application. 

Execution of an RCE attack sequence is pretty basic. First, the threat actor scans computers across the internet seeking known vulnerabilities that may support a successful attack. Once a targeted vulnerability is identified, the threat actor then performs the exploit to gain access. Now that they are in, they can execute the malicious code to reach their goals, including exfiltrating data, diverting funds, performing detailed surveillance, and disrupting service. 

Code is often injected using the language of the targeted application. The server-side interpreter then executes it for that language. Languages typically include Python, Java, Perl, Ruby, and PHP.  Applications that directly evaluate unvalidated input are usually vulnerable to code injection. It is the case that public web applications are a prime target for threat actors.

The execution of the malicious code is usually accomplished by using terminal commands or perhaps bash scripts. A bash script is a text file that contains commands that would typically be used on a command line. Bash scripts allow the included commands to behave as they would normally. They are generally appended with a “.sh,” but this is not required. Once a bash script is packaged up, the threat actor then loads the code into a vulnerable application that, in turn, executes it. Alternatively, the application may make a call to the kernel to get it executed.

Remote code execution attack types

Here’s a list of remote code execution (RCE) attack types, which exploit vulnerabilities to execute arbitrary commands or code on a target system:

Injection-based attacks

  • SQL injection (SQLi) – Exploits improperly sanitized inputs to execute arbitrary SQL queries.
  • Command injection – Inserts malicious commands into input fields that are executed on the server’s shell.
  • Cross-site scripting (XSS) – Injects malicious scripts into web pages viewed by other users.
  • NoSQL injection – Exploits vulnerabilities in NoSQL databases like MongoDB.
  • LDAP injection – Exploits vulnerabilities in LDAP queries to manipulate directory services.

Deserialization attacks

  1. Unsafe deserialization – Exploits deserialization of untrusted data to execute code.

File-related exploits

  1. Local file inclusion (LFI) – Forces the server to execute files from its filesystem.
  2. Remote file inclusion (RFI) – Includes and executes remote scripts on the server.

Scripting and runtime vulnerabilities

  1. Template injection – Exploits vulnerabilities in template engines to execute arbitrary code.
  2. PHP object injection – Targets PHP applications to exploit unserialized data and execute code.

Protocol exploits

  1. XXE (XML External Entity) – Exploits vulnerabilities in XML parsers to include and execute external files.
  2. Server-side request forgery (SSRF) – Tricks the server into making requests to internal systems or executing commands.

Memory exploits

  1. Buffer overflow – Overwrites memory to execute arbitrary code.
  2. Heap spray – Fills memory with malicious code to trigger execution.
  3. Return-oriented programming (ROP) – Chains instructions from existing code to execute malicious payloads.

Web application framework exploits

  1. Shell injection – Injects code to invoke a shell interpreter for command execution.
  2. Cross-site request forgery (CSRF) – Inderectly triggers state-changing commands without user consent.
  3. JavaScript Injection – Executes unauthorized JavaScript, often leading to RCE.

Network protocol exploits

  1. DNS rebinding – Exploits the browser’s handling of DNS to attack local servers.
  2. SMTP injection – Exploits mail servers by injecting commands in SMTP headers.

Advanced attack vectors

  1. Path traversal – Navigates directories to execute unauthorized files.
  2. Library hijacking – Replaces dynamic libraries with malicious ones to execute code.
  3. Code injection in configurations – Targets configuration files to embed executable code.
  4. JNDI injection (Java naming and directory interface) – Exploits Java naming services to execute malicious code.
  5. Memory corruption exploits – Manipulates memory to execute arbitrary code, often in unmanaged languages like C/C++.

Other code execution vulnerabilities

  1. API misuse – Exploits poorly protected APIs to run unauthorized actions or commands.
  2. Dynamic evaluation attacks – Misuses functions like eval() to execute injected code.
  3. Web shells – Uploads malicious scripts to gain persistent command execution.
  4. Objection injection in applications – Injects serialized objects to exploit poorly designed handlers.
  5. Exploitation of misconfigured tools – Leverages misconfigured platforms (e.g., Kubernetes, Jenkins) to execute arbitrary code.

WannaCry Remote Control Execution attack

There are some very well-known examples of remote control execution attacks. WannaCry is perhaps the most famous remote code execution attack of recent vintage. Back in 2017, it became known that the WannaCry ransomware infected many thousands of computers worldwide. WannaCry utilized RCE to great advantage. Initially, a threat actor would identify SMB ports that could be compromised and use one of several spying tools allegedly attributed to the National Security Agency (NSA). 

One particular tool, “EternalBlue,” was able to, in turn, detect a vulnerability in Microsoft’s SMB protocol. The SMB protocol enables applications and their users to access files on remote servers and other resources. EternalBlue was named MS17-010 by Microsoft. However, EternalBlue only impacts Windows operating systems or anything that uses the SMB version 1 file-sharing protocol. 

Once the threat actor had successfully identified the SMB vulnerability, they would, in turn, use another allegedly NSA tool called DoublePulsar. DoublePulsar is allegedly an NSA hacking tool leaked online by The Shadow Brokers threat actors in 2017. DoublePulsar could be used to install the WannaCry ransomware on the targeted compromised machines. 

Before all was said and done, EternalBlue and DoublePulsar had enabled the compromise of approximately 150,000 computers and servers. Once a server was infected with the ransomware attack, it could, in turn, infect all of the client machines to which it connected.

Preventing RCE attacks

RCE attacks are challenging to prevent because the chain of execution to effect entry can vary widely. The key to minimizing the number of vulnerabilities in your environment is to move quickly to patch and update all of your software. Unfortunately, most attackers take a list of the most recently known vulnerabilities and happily exploit them, knowing full well that most organizations have not implemented the necessary updates and mitigation patches. Alternately, threat actors successfully leverage old vulnerabilities for unauthorized access, which may be unpatched, even years later. 

Many best practices are well known today. Network traffic should be monitored for potentially malicious content in addition to monitoring endpoints. Web application firewalls (WAF) are particularly effective at providing this defense. However, the web application firewall analysis may miss malicious threats and generate false-positive results. Threat detection software can also be essential in preventing RCE. Products like Snort can scan incoming traffic and detect suspicious behavior and intrusion attempts. Snort can also block a suspicious host upon detection. Snort is generally deployed in three ways: as a packet sniffer like tcpdump, as a packet logger often recommended for network traffic debugging, or as a full-featured network intrusion prevention system. Penetration testing focusing on detecting potential RCE attack vectors is also an essential and highly effective way to minimize RCE-based threats.

RCE attacks can also be prevented by implementing buffer overflow protection. Buffer overflow includes software in your servers that detect buffer overflows not to present readily accessible vulnerabilities. Buffer overflow changes data organization in the stack frame of a function call to include a “canary value.” When a stack buffer overflow destroys the canary value, it indicates that a buffer preceding it has been overflowed. This event enables the impacted program to be terminated so that a threat actor’s malicious code does not compromise it. 

Access control lists are also important to limit user permissions and, in turn, restrict the capabilities of a threat actor if they take over one of these user accounts.

Finally, user input must be sanitized. Consider the mantra of zero trust – any user input can contribute to an RCE attack and must be completely untrusted. Input sanitization involves the cleansing and scrubbing of user input to prevent it from exploiting security holes. Input sanitization provides validating, “cleaning,” and filtering data inputs from users, APIs, and web services. There are roughly three types of sanitizing processes used today. They include whitelisting (allow lists), blacklisting (disallow lists), and escape sanitizing. Allowlists only allow valid characters and code strings. Disallow lists help cleanse the input by eliminating characters that may be dangerous such as extra white spaces, tabs, tags, and line breaks. Escape sanitizing eliminates invalid data requests and strips out inputs such that they are not interpreted as code. 

How to prevent RCE? Try learning about Bugcrowd’s security platform:

What’s a Vulnerability Disclosure Program?

Why Every Company Should Have a Vulnerability Disclosure Program.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.

Get started with Bugcrowd

Unleash Ingenuity with Bugcrowd

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.