Bosh sahifa Wiki RCE

RCE

RCE — attackerga masofadan turib nishon tizimda o‘zboshimcha code yoki command bajarish imkonini beradigan zaiflik yoki hujum natijasi. To‘liq nomi Remote Code Execution. RCE web server, network service, desktop application, parser, deserialization, plugin yoki operating system komponentida yuz berishi mumkin.

RCE odatda eng yuqori xavfli zaifliklardan biri hisoblanadi, chunki attacker application processi huquqlari doirasida tizimni boshqarishi mumkin.

Kirish yo‘llari

RCE quyidagi xatolar orqali paydo bo‘lishi mumkin:

RCE alohida bitta bug turi emas, yakuniy zararli capability.

Command execution

Application user inputini shell yoki system commandga xavfsiz ajratmasdan uzatsa attacker qo‘shimcha command bajarishga urinadi.

Process qaysi OS account ostida ishlasa code shu huquqni oladi.

Root yoki administrator sifatida ishlaydigan service ta’sirni keskin oshiradi.

Unsafe deserialization

Untrusted serialized object qayta tiklanganda constructor, magic method yoki gadget chain code bajarishi mumkin.

Faqat data kutilgan joyda executable object graph qabul qilinadi.

Xavfsiz format, schema va allowlist ishlatiladi.

Memory corruption

Buffer overflow, use-after-free yoki boshqa native memory xatosi attackerga instruction flow’ni boshqarish imkonini berishi mumkin.

ASLR, DEP va stack protection exploitni qiyinlashtiradi, ammo patchning o‘rnini bosmaydi.

File upload

Server upload qilingan faylni web root yoki executable pathga saqlasa attacker script yoki binary’ni ishga tushirishga urinishi mumkin.

Himoya:

Template va expression

User input template yoki expression sifatida evaluate qilinsa server-side code bajarilishi mumkin.

Dynamic expression kerak bo‘lmasa evaluation ishlatilmaydi.

User yaratgan formula alohida cheklangan language va sandboxda bajariladi.

Initial accessdan keyin

RCE muvaffaqiyatli bo‘lsa attacker:

  • reverse shellga o‘xshash access;
  • credential theft;
  • persistence;
  • lateral movement;
  • data exfiltration;
  • ransomware;
  • cryptomining

uchun keyingi bosqichlarni bajarishi mumkin.

Security monitoring faqat dastlabki requestni emas, keyingi process va network behaviorini ham kuzatadi.

Process privilege

Application minimal OS user sifatida ishlaydi.

U:

ga keraksiz access olmasligi kerak.

Least privilege RCE ta’sirini cheklaydi.

Container cheklovi

Container RCE’ni avtomatik xavfsiz qilmaydi.

Attacker container ichidagi data va credentiallarni olishi mumkin.

Privileged container, host mount yoki container runtime socket mavjud bo‘lsa hostga ta’sir ehtimoli oshadi.

Seccomp, capability va read-only filesystem yordam beradi.

Network segmentation

Compromised application ichki tarmoqdagi barcha service’ga kira olmasligi kerak.

Egress va east-west policy:

ga accessni cheklaydi.

RCEdan keyingi lateral movement qiyinlashadi.

Detection

Indikatorlar:

  • web processdan shell yoki system utility ishga tushishi;
  • noma’lum child process;
  • outbound connection;
  • yangi file;
  • privilege change;
  • cron yoki service yaratilishi;
  • g‘ayrioddiy interpreter;
  • application error va exploit pattern.

Endpoint va application loglari bir trace bilan bog‘lanadi.

Patch

Vendor fix mavjud bo‘lsa riskga qarab tez o‘rnatiladi.

Patch darhol mumkin bo‘lmasa:

vaqtinchalik choralar bo‘lishi mumkin.

Incident response

RCE gumon qilinganda hostga to‘liq ishonib bo‘lmaydi.

Jarayon:

  1. containment;
  2. memory va disk dalillarini saqlash;
  3. initial requestni topish;
  4. persistence va credential accessni tekshirish;
  5. secretlarni rotation qilish;
  6. ishonchli image’dan tiklash;
  7. zaiflikni yopish;
  8. boshqa hostlarda indicator qidirish.

Faqat processni restart qilish yetarli emas.

RCE va ACE

Arbitrary Code Execution local yoki remote bo‘lishi mumkin.

RCE network yoki masofaviy input orqali yuz beradi.

Ba’zi zaifliklar authentication talab qiladi, boshqalari unauthenticated bo‘lishi mumkin.

Risk bahosida access sharti muhim.

Internet exposure

RCE zaif service internetga ochiq bo‘lsa exploit urinishlari public disclosure’dan keyin tez boshlanishi mumkin. Asset inventory qaysi instance tashqi accessga ega ekanini ko‘rsatadi. Patchdan oldin exposure’ni olib tashlash yoki allowlist vaqtinchalik riskni kamaytiradi.

Web shell

Attacker RCEdan keyin web-accessible script qoldirishi mumkin. U oddiy request orqali command bajarishga xizmat qiladi. Web rootdagi yangi yoki o‘zgargan fayllar, g‘ayrioddiy extension va child processlar tekshiriladi.

Secret rotation

Compromised hostdagi environment variable, config, mounted secret va cloud tokenlar oshkor bo‘lgan deb qaraladi. Faqat serverni qayta o‘rnatish yetarli emas; secretlar boshqa ishonchli muhitdan almashtiriladi va eski credential bekor qilinadi.

Detectiondan keyingi vaqt

RCE signali topilgan vaqt hujumning boshlanish vaqti bo‘lmasligi mumkin. Attacker oldinroq access olgan va loglarni o‘zgartirgan bo‘lishi ehtimoli bor. Tahlil credential, process va network tarixini yetarli oldingi davrgacha kengaytiradi.

Build va runtime

Compiler, template builder yoki package hook build serverda code bajarishi mumkin. RCE faqat production web requestidan kelmaydi. CI workerlar ephemeral, minimal secretli va untrusted contributiondan ajratilgan bo‘ladi.

Bog‘liq tushunchalar

Remote Code Execution, Command Injection, Unsafe deserialization, Memory corruption, File upload, Privilege escalation, Sandbox, Container security, Incident response