03 December 2020

Exploits Explained: Zero Day Remote Code Execution in File Upload Feature

Jake Garner

The first of an ongoing series of deep-dive videos into newly discovered and critical vulnerabilities. 

In the first installation of Synack’s newly launched Exploits Explained video series, we are digging deep into a zero day Remote Code Execution vulnerability that one of our Red Team researchers recently uncovered during a web application test. 

RCE vulnerabilities are unfortunately fairly common and dangerous as they give attackers the ability to access servers, make changes and tamper with sensitive data and even take over applications running on the same server.

The vulnerability that we’re demonstrating in a live hack of the vulnerable web application, which has been scrubbed of any identifying features, shows how an intruder who discovered the flaw could gain access to the application and carry out an attack.

This exploit makes use of a common technique in proven code execution using a DNS query as a means to see the command output. The technique is useful in many situations where an attacker cannot see the output of commands being executed or if the system being exploited has restricted communications to the internet.

An attacker with authenticated access to the vulnerable web app who discovers the RCE will have user privilege command execution on the server that hosts the site. The criticality of the RCE vulnerability really depends on the sensitivity of the data in the application. But even if an attacker is unable to gain administrative privileges on the server, user level access often provides enough for the attacker to access the full database.

If multiple web applications are hosted on the same server, compromising one app could give an attacker access to other programs running on the same server.

It’s critical that security teams and developers stay vigilant against these types of vulnerabilities. Any features that respond to user supplied inputs should only act on untrusted inputs when absolutely necessary. 

This live hack demonstration makes the case that developers must assume that every input an application receives from an outside source could be untrustworthy — and design systems according to defend against RCE attacks. 

For another deep dive into the hacker mindset, check out Hacker Horizons – Attacker Methodology and Exploitation Demo — a step-by-step look into the seven steps of the kill chain, from Reconnaissance to Actions on Objectives.