Remote Code Execution - RCE

What is Remote Code Execution (RCE)?

Remote Code Execution (RCE) allows an attacker to execute code on the server of the web application. RCE may lead to fully compromising the server and the application hosting on it.

How does an RCE work?

RCE arises when un-trusted or un-sanitized user inputs are used in the evaluation functions like eval() in PHP. RCE may also arise when un-trusted user inputs are directly injected or written into the executable files.

What attacker can do by exploiting RCE?

An attacker can exploit RCE to take full control of the server. Once an attacker takes over the server, an attacker can take full access to the web application. Whole database, full source code, user's files everything may be at risk on the application vulnerable to RCE.

Example:

Suppose an application is having a request which takes input from the user to search product as shown in the following example:

https://vilnerablesite.com/search?product_name=mug

Let's assume user input is used by eval() function of PHP as shown in the example below:

$product_name = $_GET['product_name'];
$display_text = 'Search results for $product_name :';
eval("\$display_text = \"$display_text\";");

An attacker can exploit this situation to execute malicious code to perform RCE as shown in the following example.

https://vilnerablesite.com/search?product_name=mug;phpinfo()

The payload applied to product name parameter will be reflected in the eval function and phpinfo() function will be executed. Hence, an attacker was able to perform the RCE attack successfully.

How to prevent RCE?

A developer must not use user inputs in the evaluating functions. Moreover validating and sanitizing the user inputs can make one more step towards security. The developer can make it more secure by blacklisting special characters and function names.