Remote Code Execution (RCE)
Remote Code Execution (RCE)
Overview of the Vulnerability
Remote Code Execution (RCE) is a vulnerability that allows commands to be executed remotely on a target machine by crafting a request within the application where there should be no context to access or execute code.
A RCE vulnerability in this application allows a malicious attacker to remotely execute code on the server, enabling an attacker to extract passwords, reconfigure running services, move laterally into attached networks, and potentially take over the server.
Business Impact
RCE could lead to data theft through the attacker's ability to manipulate data through their access to the application server. These malicious actions could also result in reputational damage for the business through the impact to customers' trust.
Steps to Reproduce
Example:
Using a Machine with access to cURL, run the command
curl {{url}}/cmd?=ping%20192.168.1.1;cat%20/etc/hostnameIn the terminal, you will see the output of the ping command, then the hostname of the server hosting this website.
Proof of Concept
The screenshot below demonstrates the RCE in the application through the specified parameter:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Your submission must include evidence of the vulnerability and not be theoretical in nature.
For a Remote Code Execution vulnerability, you may execute some commands to prove that the code execution works, but do not access or attempt to access sensitive information. Do not access Personally Identifiable Information (PII). Do not pivot or access internal systems which are deemed out of scope.
If you need to upload a file to demonstrate the vulnerability, where possible, please give the file a randomly generated name that is not possible to guess. In addition, it is not permitted to perform interactive execution of commands remotely. Your PoC must only demonstrate that a non-sensitive command can be executed when the page is accessed. Do not upload interactive web shells.
An example of some commands that can show access to the server are; cat /etc/hostname, cat /etc/passwd, cat /etc/issues, and ifconfig.
Recommendation(s)
All user inputs should be sanitized using allow lists (valid characters and code strings), disallow ( invalid characters and code strings), and escape sanitizing (elimination of invalid data requests). It is best practice that all user input goes through a validation process which only allows content to be processed by the database if it passes validation.
It is also important to keep all systems, software and operating systems up-to-date with a repeatable patch management process, as RCE vulnerabilities can exist within 3rd party components.
Last updated