Arbitrary code execution

"Remote code execution" redirects here. For the science fiction novel, see RCE - Remote Code Execution.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process.[1] An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX).

Arbitrary code execution signifies that if someone sends a specially designed set of data to a computer, they can make it do whatever they want. Even though this particular weakness may not cause actual problems in the real world, researchers have discussed whether it suggests a natural tendency for computers to have vulnerabilities that allow unauthorized code execution.[2]

Vulnerability types

There are a number of classes of vulnerability that can lead to an attacker's ability to execute arbitrary commands or code. For example:

Methods

Arbitrary code execution is commonly achieved through control over the instruction pointer (such as a jump or a branch) of a running process. The instruction pointer points to the next instruction in the process that will be executed. Control over the value of the instruction pointer therefore gives control over which instruction is executed next. In order to execute arbitrary code, many exploits inject code into the process (for example by sending input to it which gets stored in an input buffer in RAM) and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed. This type of attack exploits the fact that most computers (which use a Von Neumann architecture) do not make a general distinction between code and data,[7][8] so that malicious code can be camouflaged as harmless input data. Many newer CPUs have mechanisms to make this harder, such as a no-execute bit.[9][10]

Combining with privilege escalation

Main article: Privilege escalation

On its own, an arbitrary code execution exploit will give the attacker the same privileges as the target process that is vulnerable.[11] For example, if exploiting a flaw in a web browser, an attacker could act as the user, performing actions such as modifying personal computer files or accessing banking information, but would not be able to perform system-level actions (unless the user in question also had that access).

To work around this, once an attacker can execute arbitrary code on a target, there is often an attempt at a privilege escalation exploit in order to gain additional control. This may involve the kernel itself or an account such as Administrator, SYSTEM, or root. With or without this enhanced control, exploits have the potential to do severe damage or turn the computer into a zombie—but privilege escalation helps with hiding the attack from the legitimate administrator of the system.

Examples

Retrogaming hobbyists have managed to find vulnerabilities in classic video games that allow them to execute arbitrary code, usually using a precise sequence of button inputs in a tool-assisted superplay to cause a buffer overflow, allowing them to write to protected memory. At Awesome Games Done Quick 2014, a group of speedrunning enthusiasts managed to code and run versions of the games Pong , Snake and Super Mario Bros in a copy of Super Mario World[12] by utilizing an out-of-bounds read of a function pointer that points to a user controlled buffer to execute arbitrary code.

On June 12, 2018, Bosnian security researcher Jean-Yves Avenard of Mozilla discovered an ACE vulnerability in Windows 10.[13]

On May 1, 2018, a security researcher discovered an ACE vulnerability in the 7-Zip file archiver.[14]

PHP has been the subject of numerous ACE vulnerabilities.[15][16][17]

On December 9, 2021, a RCE vulnerability called "Log4Shell" was discovered in popular logging framework Log4j, affecting many services including iCloud, Minecraft: Java Edition and Steam, and characterized as "the single biggest, most critical vulnerability of the last decade".[18][19]

See also

References

  1. ^ Team, KernelCare (25 January 2021). "Remote code execution attack: what it is, how to protect your systems". blog.kernelcare.com. Retrieved 2021-09-22.[self-published source?]
  2. ^ Johnson, Pontus (2021). Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine (Preprint). arXiv:2105.02124.
  3. ^ "Deserialization of untrusted data". owasp.org.
  4. ^ "Understanding type confusion vulnerabilities: CVE-2015-0336". microsoft.com. 18 June 2015.
  5. ^ "Exploiting CVE-2018-19134: remote code execution through type confusion in Ghostscript". lgtm.com. 5 February 2019.
  6. ^ "LDD arbitrary code execution".
  7. ^ Gilreath, William F.; Laplante, Phillip A. (2003). "Evolution of Instruction Sets". Computer Architecture: A Minimalist Perspective. pp. 23–32. doi:10.1007/978-1-4615-0237-1_4. ISBN 978-1-4613-4980-8.
  8. ^ Reilly, Edwin D. (2003). Milestones in Computer Science and Information Technology. Greenwood Publishing Group. p. 245. ISBN 9781573565219.
  9. ^ "Tech Insight: Execute Disable Bit (XD-Bit)" (PDF). Toshiba Polska. 2005. Archived from the original (PDF) on 2018-10-31. Retrieved 2018-10-31.
  10. ^ "AMD has you covered" (PDF). AMD. 2012. Archived from the original (PDF) on Mar 5, 2019.
  11. ^ Winterfeld, Steve (2013). "Offensive Tactics and Procedures". The Basics of Cyber Warfare. pp. 67–82. doi:10.1016/B978-0-12-404737-2.00005-7. ISBN 978-0-12-404737-2.
  12. ^ Orland, Kyle (14 January 2014). "How an emulator-fueled robot reprogrammed Super Mario World on the fly". Ars Technica. Retrieved 27 July 2016.
  13. ^ "Microsoft Windows CVE-2018-8213 Arbitrary Code Execution Vulnerability". Symantec. Archived from the original on October 31, 2018. Retrieved 2018-10-31.
  14. ^ "A Vulnerability in 7-Zip Could Allow for Arbitrary Code Execution". New York State Office of Information Technology Services. Archived from the original on 2021-08-15. Retrieved 2018-10-31.
  15. ^ "NVD - CVE-2017-12934". nvd.nist.gov. Retrieved 2018-10-31.
  16. ^ "File Operation Induced Unserialization via the "phar://" Stream Wrapper" (PDF). Secarma Labs. 2018.
  17. ^ "NVD - CVE-2017-12933". nvd.nist.gov. Retrieved 2018-10-31.
  18. ^ "Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. December 9, 2021. Retrieved December 11, 2021.
  19. ^ "Recently uncovered software flaw 'most critical vulnerability of the last decade'". The Guardian. 11 December 2021. Retrieved December 11, 2021.

Further reading

Read other articles:

العلاقات السويسرية الليختنشتانية

العلاقات السويسرية الليختنشتانية سويسرا ليختنشتاين   سويسرا   ليختنشتاين تعديل مصدري - تعديل   العلاقات السويسرية الليختنشتانية هي العلاقات الثنائية التي تجمع بين سويسرا وليختنشتاين.[1][2][3][4][5] مقارنة بين البلدين هذه مقارنة عامة ومرجعية �...

 

Tōhō, Fukuoka

Tōhō 東峰村Desa BenderaLambangLocation of Tōhō in Fukuoka PrefectureNegara JepangWilayahKyūshūPrefektur FukuokaDistrikAsakuraLuas • Total52,0 km2 (200 sq mi)Populasi (Oktober 1, 2015) • Total2.174 • Kepadatan41,8/km2 (1,080/sq mi)Zona waktuUTC+9 (Waktu Standar Jepang)Situs webSitus web resmi Tōhō (東峰村code: ja is deprecated , Tōhō-mura) adalah desa yang terletak di Prefektur Fukuoka, Jepang. Pada 1 Oktobe...

 

趙家驤

追晉陸軍二級上將趙家驤將軍个人资料出生1910年 大清河南省衛輝府汲縣逝世1958年8月23日(1958歲—08—23)(47—48歲) † 中華民國福建省金門縣国籍 中華民國政党 中國國民黨获奖 青天白日勳章(追贈)军事背景效忠 中華民國服役 國民革命軍 中華民國陸軍服役时间1924年-1958年军衔 二級上將 (追晉)部队四十七師指挥東北剿匪總司令部參謀長陸軍�...

Jack Goody

Jack GoodyBiographieNaissance 27 juillet 1919HammersmithDécès 16 juillet 2015 (à 95 ans)Cambridge (Royaume-Uni)Nom de naissance John Rankine GoodyNationalité britanniqueFormation St John's CollegeSt Albans School (en)Activités Anthropologue, historien, professeur d'université, sociologueConjoint Mary Joan WrightEsther Newcomb (1930-2018)Juliet Mitchell (1940)Autres informationsA travaillé pour Université de CambridgeMembre de Académie américaine des sciences (2004)British Acade...

 

Pelabuhan Penyeberangan Juata Laut

Untuk pelabuhan Tarakan, lihat Pelabuhan Malundung. Pelabuhan Penyeberangan Juata LautLokasi di Kalimantan Utara dan Pulau KalimantanLokasiNegaraIndonesiaLokasiJuata Laut, Tarakan Utara, Tarakan, Kalimantan UtaraKoordinat3°25′52.27″N 117°32′12.75″E / 3.4311861°N 117.5368750°E / 3.4311861; 117.5368750UN/LOCODEID TRK[1]DetailOperatorASDP Indonesia FerryJenisPelabuhan penyeberanganJenis dermagaPonton, HidraulisOtoritas pelabuhanKSOP kelas III TarakanMe...

 

Oxnard Air Force Base

Former United States Air Force base For the civil use of this facility after 1969, see Camarillo Airport. Not to be confused with Oxnard Airport. Oxnard Air Force Base Part of Air Defense CommandCamarillo, California Convair F-106A-90-CO Delta Dart 57-2486 437th Fighter-Interceptor Squadron.Oxnard AFBCoordinates34°12′50″N 119°05′40″W / 34.21389°N 119.09444°W / 34.21389; -119.09444TypeAir Force BaseSite historyBuilt1940In use1940-1945; 1951-1970 Oxnard ...

Abstinence-only sex education

Form of sex education Laura Bush with an AIDS orphan at a center in Zambia that promotes abstinence and faith for youth Abstinence-only sex education (also known as sexual risk avoidance education)[1] is a form of sex education that teaches not having sex outside of marriage. It often excludes other types of sexual and reproductive health education, such as birth control and safe sex. In contrast, comprehensive sex education covers the use of birth control and sexual abstinence. Evide...

 

Arteriosclerosis, Thrombosis, and Vascular Biology

Academic journalArteriosclerosis, Thrombosis, and Vascular BiologyDisciplineCardiology, cardiovascular biologyLanguageEnglishEdited byAlan DaughertyPublication detailsFormer name(s)Arteriosclerosis; Arteriosclerosis and ThrombosisHistory1981–presentPublisherLippincott Williams & Wilkins on behalf of the American Heart Association (United States)FrequencyMonthlyOpen accessHybridImpact factor10.514 (2021)Standard abbreviationsISO 4 (alt) · Bluebook (alt1 ·...

 

George Anthony Walkem

Canadian politician George Anthony WalkemHon. George Anthony Walkem in 18753rd & 5th Premier of British ColumbiaIn officeFebruary 11, 1874 – January 27, 1876MonarchVictoriaLieutenant GovernorJoseph TrutchPreceded byAmor de CosmosSucceeded byAndrew Charles ElliottIn officeJune 25, 1878 – June 6, 1882MonarchVictoriaLieutenant GovernorAlbert Norton RichardsClement Francis CornwallPreceded byAndrew Charles ElliottSucceeded byRobert BeavenMLA for CaribooIn officeOctob...

الملعب الرياضي الصفاقسي

يفتقر محتوى هذه المقالة إلى الاستشهاد بمصادر. فضلاً، ساهم في تطوير هذه المقالة من خلال إضافة مصادر موثوق بها. أي معلومات غير موثقة يمكن التشكيك بها وإزالتها. (فبراير 2016) الملعب الرياضي الصفاقسي تأسس عام 1960  البلد تونس  الدوري الرابطة التونسية المحترفة الثانية لكرة الق�...

 

منتخب جمهورية الكونغو الديمقراطية لكرة السلة

منتخب جمهورية الكونغو الديمقراطية لكرة السلة التصنيف 85 ▼ 3 (16 سبتمبر 2019)[1] انضم للاتحاد الدولي 1963 اللقب Leopards البلد جمهورية الكونغو الديمقراطية  بطولة أمم أفريقيا لكرة السلة المشاركة 6 أطقم المنتخب     '     shorts ' تعديل مصدري - تعديل   منتخب جمهورية الكونغو ال...

 

Stasiun Suruga-Tokuyama

Stasiun Suruga-Tokuyama駿河徳山駅Stasiun Suruga-Tokuyama pada April 2008LokasiTokuyama, Kawanehon-cho, Haibara-gun, Shizuoka-kenJapanKoordinat35°04′29″N 138°06′38″E / 35.07472°N 138.11056°E / 35.07472; 138.11056Koordinat: 35°04′29″N 138°06′38″E / 35.07472°N 138.11056°E / 35.07472; 138.11056Operator Ōigawa RailwayJalur■Jalur Utama ŌigawaLetak24.1 kilometer dari KanayaJumlah peron1 peron pulauInformasi lainStatusMe...

Sirhind-Fategarh

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Sirhind-Fategarh – news · newspapers · books · scholar · JSTOR (October 2017) (Learn how and when to remove this message) Town in Punjab, IndiaSirhind-FatehgarhTownSirhind-FatehgarhLocation in Punjab, IndiaShow map of PunjabSirhind-FatehgarhSirhind-Fatehgarh (...

 

Clear Lake, Iowa

City in Iowa, United States For the lake, see Clear Lake (Iowa). City in Iowa, USClear Lake, IowaCityHistoric Downtown Clear LakeLocation of Clear Lake, IowaCoordinates: 43°8′11″N 93°22′48″W / 43.13639°N 93.38000°W / 43.13639; -93.38000CountryUSState IowaCountyCerro GordoArea[1] • Total13.37 sq mi (34.63 km2) • Land10.78 sq mi (27.92 km2) • Water2.59 sq mi (6.71 km...

 

Solbiate Olona

Questa voce o sezione sull'argomento centri abitati della Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti. Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Solbiate Olonacomune Solbiate Olona – Veduta LocalizzazioneStato Italia Regione Lombardia Provincia Varese AmministrazioneSindacoLucio Giuseppe Ghioldi (lista civica Più ...

Anonychomyrma

Anonychomyrma Anonychomyrma gilberti (en) TaksonomiKerajaanAnimaliaFilumArthropodaKelasInsectaOrdoHymenopteraFamiliFormicidaeGenusAnonychomyrma Donisthorpe, 1947 Diversitas 26 spesies[1] Anonychomyrma adalah genus semut dari subfamili Dolichoderinae.[2] Penyebaran dan habitat Genus ini terutama tersebar di New Guinea, Kepulauan Solomon dan Australia; satu spesies yang diketahui dari Malaysia dan Indonesia. Mereka bersarang di tanah atau di pohon-pohon, dengan koloni yang terdi...

 

Viticulture en Bosnie-Herzégovine

Vigne à Sovići La viticulture en Bosnie-Herzégovine s'est développée sur la base de cépages autochtones qui avaient résisté à l'ère glaciaire. Origine Le sud de la Dalmatie, dans l'actuelle Bosnie-Herzégovine, tout comme l'Albanie et les îles Ioniennes de la Grèce, semble avoir été le dernier refuge européen de la vigne après l'ère glaciaire. C'est ce qu'a pu déterminer le professeur Henri Enjalbert lors de ses travaux et ses recherches[1]. Vignoble actuel Les vignes, durem...

 

Container Terminal Altenwerder

Container terminal in Hamburg, Germany This article relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources.Find sources: Container Terminal Altenwerder – news · newspapers · books · scholar · JSTOR (May 2024) CTA in February 2010 CTAclass=notpageimage| Location of HHLA Container Terminal Altenwerder in HamburgShow map of HamburgCTA...

黃毓民

此條目可能包含原创研究。 (2016年10月25日)请协助補充参考资料、添加相关内联标签和删除原创研究内容以改善这篇条目。详细情况请参见讨论页。 此條目需要补充更多来源。 (2016年10月25日)请协助補充多方面可靠来源以改善这篇条目,无法查证的内容可能會因為异议提出而被移除。致使用者:请搜索一下条目的标题(来源搜索:黃毓民 — 网页、新闻、书籍、学术、图像...

 

Casio G-Shock

Astronaut Thomas Reiter mit einer G-Shock DW-5900 auf der Raumstation ISS Erste Casio G-Shock DW-5000C, Modul 240 von 1983 Unter der Bezeichnung G-Shock vertreibt der japanische Elektronik-Konzern Casio seit 1983 Armbanduhren, die durch ihre Konstruktion besonders robust gegenüber Erschütterungen jeglicher Art sind. Der Name „G-Shock“ ist ein Akronym und steht für Gravitational-Schock (Schwerkraftstoß oder -aufprall). Inhaltsverzeichnis 1 Entstehungsgeschichte der G-Shock 2 Funktionen...