Arbitrary Code Execution (ACE) is an umbrella term referring to any situation where a cybercriminal gains the opportunity to execute their own code on another computer or within another software environment. This fairly broad attack vector includes Remote Code Execution (RCE), which specifically describes scenarios in which the attacker’s arbitrary code is executed over a distance (e.g., over a network).

How does Arbitrary Code Execution work?

Threat actors look to exploit subtle vulnerabilities in software applications, systems, and even hardware to create opportunities for ACE. Troublingly, they often do so without utilizing virus- or malware-infected files, which renders traditional antivirus software ineffective at preventing sophisticated ACE-oriented attacks.

To gain an opportunity to execute arbitrary code, an attacker must first identify suitable vulnerabilities in the system they’re targeting. Many common vulnerabilities can open the door to arbitrary code execution, such as Buffer Overflow vulnerabilities, SQL injection (SQLI) vulnerabilities, or Cross-Site Scripting (XSS) vulnerabilities among others. In exploiting any of these common vulnerabilities, an attacker’s high-level goal is to penetrate server entryways that don’t adequately validate or sanitize their inputs before submitting data to sensitive server-side workflows.

Let’s say, for example, that an attacker was able to identify a Heap-Based Buffer Overflow vulnerability in a certain version of an image rendering technology used in a target organization’s image-processing web application. This attacker could gain an opportunity for ACE by crafting a malicious image file that intentionally exceeded the byte limits dynamically allocated to heap memory buffers in the image rendering workflow. Exceeding the application’s heap memory buffer allocation could trigger a data overflow into adjacent memory buffers, overwriting the contents of those buffers with content controlled by the attacker.

The attacker could include machine code instructions in their payload designed to execute directly in the overwritten heap memory buffers once the overflow occurred, or they could possibly force these buffers to execute code from a remote location (i.e., Remote Code Execution). Either way, if the attacker’s payload was executed with the same level of permissions as the process it overwrote, they could then (arbitrarily) run any code they wanted on the target system. They could theoretically create backdoors into the target system, exfiltrate or delete sensitive data, escalate their own privileges to the highest level, or cause any number of devastating system disruptions.

To make matters worse, the attacker could avoid detection by erasing important logs or modifying system files, ensuring security teams responsible for protecting the target system lacked key details related to the attack. This could turn the compromised system into a “zombie” system capable of participating in botnet attacks.

Mitigating Arbitrary Code Execution threats with Cloudmersive

The Cloudmersive Virus Scan API provides rigorous content verification policies on top of best-in-class virus & malware protection. Deploying the Virus Scan API ahead of sensitive web applications provides a critical layer of redundancy, helping to protect sensitive server entry points from harmful, specially crafted content.

Content verification ensures that each file entering a system rigorously conforms to an expected set of criteria for that file type, and that this content does not unexpectedly contain malicious code like scripts, HTML, or JavaScript. It also ensures that disguised executables, password protected files, and unsafe archives can’t be submitted to vulnerable file processing workflows.

For more information on the Cloudmersive Virus Scan API, please do not hesitate to reach out to a member of our sales team.