I know It's been a long time since I published anything related to secure code review.After taking a break, everything felt new again. Busy schedules, constant learning, and trying to improve my skills kept me occupied for quite a while. but now i am back with a new topic as a secure code reviewer perspective .
lest get dive into today's topic ….
first lets start from the basics
What is Remote Code Execution ?
Remote code Execution aka known as RCE is the one of the most critical vulnerabilities in application security because it allows attackers to execute arbitrary commands or code on the target server.
what is arbitrary commands ?
Commands chosen and controlled by the attacker. (simple right ?)
For example, if an application executes system commands using user supplied input without proper validation an attacker may inject their own commands into the application.
google.com; whoami
every thing feels simple when you understand it the right way like this 😌
Now let's move into the interesting part identifying RCE from a secure code reviewer's perspective.
One thing i understood while learning secure code review is that real vulnerabilities are almost never shown directly most of the time Vulnerabilities are hidden behind App logic , functions etc.
How to find RCE while Reviewing Code .
RCE never happens directly it will happens due to the combination of many other vulnerabilities like Command injection , SSTI , File Uploading Vulnerabilities etc.
Here is the main formula that you should follow while review codes
SOURCE → FLOW → SINK
Source : where the attacker controlled input enters the application (the User Input fields )
eg: domain = request.args.get("domain")
Flow: means how the data moves inside the application.
eg: command = "ping " + domain (here usually user controlled input became a part of the command)
Sink : This is the most dangerous function that is capable to execute commands .
eg: os.system() [python]
shell_exec() [PHP]
How RCE Happens
when learning about rce at first confused me . But once I understood the flow properly, everything started making sense.
RCE usually happens when application trust user input then passes the user input into dangerous functions and execute it without proper sanitization. thats the basic idea now when u look at the above code snippet i could understand what i said .
If a user tries to inject shell operators into the input field, for example ip=8.8.8.8; whoami , the application successfully processes the request and executes the user-supplied input as a system command because shell_exec($cmd) is used in the backend. As a result, command injection is possible which may further lead to Remote Code Execution (RCE).
sometimes developers think they are only allowing users to perform simple operations like here . but the scary part is f user-controlled input reaches dangerous execution functions insecurely attackers may completely compromise the server.
Impact of RCE
- read sensitive files
- access database credentials
- modify or delete important data
- upload malware or backdoors
- gain reverse shell access
- move laterally inside internal networks
- take full control over the server
Mitigation
One of the biggest mistakes developers make is directly passing user input into system command functions like:
shell_exec()
system()
exec()
Especially when the input is concatenated directly into commands like $cmd = "ping -c 1 " . $ip;
Instead of executing commands through the shell directly, developers should use safer alternatives whenever possible. like this subprocess.run(["ping", "-c", "1", ip], shell=False)
Validate user input
That's it for this write up I hope this helped you understand RCE from a secure code reviewer's perspective in a simple way.
See you in the next write up 😌