What is the RCE vulnerability?

Hello everyone! Today we're going to talk about RCE, which stands for Remote Code Executions.

It's a vulnerability that allows a hacker or attacker to execute malicious code directly on a system. These commands are executed without any filtering or blocking, and it's considered one of the most dangerous high-level vulnerabilities.

A simple example: If we have a tool that pings a website to see if there's a response, what would a hacker or attacker do? They would modify this command. How?

The correct command is: ping 1.1.1.1. What the hacker would do is: ping 1.1.1.1; ls
What does this mean? It tells the server that after you finish your operation, you want it to perform another operation, which is ls, meaning "display files." This allows you to view files and also execute other commands.

What are the most common types of RCE (Remote Control)?

1- Code injections

2- Command injections

How does a hacker or attacker gain control? My friend, they will insert malicious code, or rather, they will use tools that exploit vulnerabilities, for example, by creating a reverse connection from the server to their computer, for example, via SSH. There are many ways, but all roads lead to Rome. Once they reach the shell, they will begin the privilege escalation process, which we will explain later. Or they might not use this method because they can execute commands from a previous tool directly with high privileges, depending on the attacker's thinking and method. The important thing is that they have found a way to access the server.

How is it detected? 1. Perform a static source code analysis of the website or server to identify functions that exploit REC vulnerabilities, commonly referred to as SINKS by programmers.

1. Perform a dynamic analysis that examines headers, cookies, and input data used to inject payloads to understand the responses and potential consequences. For example, I wrote malicious code and included a response. If the server takes 10 seconds to respond, it means the command was executed. This is another example of how to determine if the server has the ability to perform external scans or make external connections via, for example, curl.

3- The libraries used in the project are checked, as one of them might also be infected, which would expose the server to the same problem.
4- And many other methods.

How to solve these problems:

1- Forget about using built-in functions like eval or system.

2- Isolate tools or other user-server-based applications in an environment separate from the main server. Even if someone manages to gain access, they won't be able to do anything. Permissions on the server or other entity should also be minimized.

3- Enabling a web application firewall is crucial for blocking suspicious requests and filtering commands from being executed directly.