Remote Arbitrary Code Execution

Remote code execution is one of the most commonly used methods of
exploiting systems. Several noteworthy attacks on high profile Web sites have
been due to the ability to execute arbitrary code remotely. Remote arbitrary
code is serious in nature because it often does not require authentication and
therefore may be exploited by anybody.
Returning to the military scenario, suppose the enemy General’s reconnaissance
troops are able to slip past the other side’s guards.They can then sit and
map the others’ position, and return to the General with camp coordinates, as
well as the coordinates of things within the opposing side’s camp.
The General can then pass this information to his Fire Support Officer
(FSO), and the FSO can launch several artillery strikes to “soften them up.” But
suppose for a moment that the opposing side knows about the technology
behind the artillery pieces the General’s army is using. And suppose that they
have the capability to remotely take control of the coordinates input into the
General’s artillery pieces—they would be able to turn the pieces on the General’s
own army.This type of control is exactly the type of control an attacker can gain by
executing arbitrary code remotely. If the attacker can execute arbitrary code
through a service on the system, the attacker can use the service against the
system, with power similar to that of using an army’s own artillery against them.
Several methods allow the execution of arbitrary code.Two of the most common
methods used are buffer overflows and format string attacks.
The Attack
Remote code execution is always performed by an automated tool. Attempting
to manually remotely execute code would be at the very best near impossible.
These attacks are typically written into an automated script.
Remote arbitrary code execution is most often aimed at giving a remote user
administrative access on a vulnerable system.The attack is usually prefaced by an
information gathering attack, in which the attacker uses some means such as an
automated scanning tool to identify the vulnerable version of software. Once
identified, the attacker executes the script against the program with hopes of
gaining local administrative access on the host.
Once the attacker has gained local administrative access on the system, the
attacker initiates the process discussed in the “Misinformation” section.The
attacker will do his best to hide his presence inside the system. Following that, he
may use the compromised host to launch remote arbitrary code execution attacks
against other hosts.
Although remote execution of arbitrary code can allow an attacker to execute
commands on a system, it is subject to some limitations.
Code Execution Limitations
Remote arbitrary code execution is bound by limitations such as ownership and
group membership.These limitations are the same as imposed on all processes
and all users
On UNIX systems, processes run on ports below 1024 are theoretically rootowned
processes. However, some software packages, such as the Apache Web
Server, are designed to change ownership and group membership, although it
must be started by the superuser. An attacker exploiting an Apache HTTP process
would gain only the privileges of the HTTP server process.This would allow the
attacker to gain local access, although as an unprivileged user. Further elevation of
privileges would require exploiting another vulnerability on the local system.This
limitation makes exploiting nonprivileged processes tricky, as it can lead to being
caught when system access is gained.
The changing of a process from execution as one user of higher privilege to a
user of lower privilege is called dropping privileges. Apache can also be placed in a
false root directory that isolates the process, known as change root, or chroot.
A default installation of Apache will drop privileges after being started. A separate
infrastructure has been designed for chroot, including a program that can
wrap most services and lock them into what is called a chroot jail.The jail is
designed to restrict a user to a certain directory.The chroot program will allow
access only to programs and libraries from within that directory.This limitation
can also present a trap to an attacker not bright enough to escape the jail.
If the attacker finds himself with access to the system and bound by these limitations,
the attacker will likely attempt to gain elevated privileges on the system.
Elevation of Privileges
Of all attacks launched, elevation of privileges is certainly the most common.An
elevation of privileges occurs when a user gains access to resources that were not
authorized previously.These resources may be anything from remote access to a
system to administrative access on a host. Privilege elevation comes in various