RCE — attackerga masofadan turib nishon tizimda o‘zboshimcha code yoki command bajarish imkonini beradigan zaiflik yoki hujum natijasi. To‘liq nomi Remote Code Execution. RCE web server, network service, desktop application, parser, deserialization, plugin yoki operating system komponentida yuz berishi mumkin.
RCE odatda eng yuqori xavfli zaifliklardan biri hisoblanadi, chunki attacker application processi huquqlari doirasida tizimni boshqarishi mumkin.
Kirish yo‘llari
RCE quyidagi xatolar orqali paydo bo‘lishi mumkin:
- command injection;
- unsafe deserialization;
- memory corruption;
- template injection;
- upload qilingan executable;
- vulnerable plugin;
- expression language injection;
- file inclusion;
- interpreterga noto‘g‘ri input;
- supply-chain component.
RCE alohida bitta bug turi emas, yakuniy zararli capability.
Command execution
Application user inputini shell yoki system commandga xavfsiz ajratmasdan uzatsa attacker qo‘shimcha command bajarishga urinadi.
Process qaysi OS account ostida ishlasa code shu huquqni oladi.
Root yoki administrator sifatida ishlaydigan service ta’sirni keskin oshiradi.
Unsafe deserialization
Untrusted serialized object qayta tiklanganda constructor, magic method yoki gadget chain code bajarishi mumkin.
Faqat data kutilgan joyda executable object graph qabul qilinadi.
Xavfsiz format, schema va allowlist ishlatiladi.
Memory corruption
Buffer overflow, use-after-free yoki boshqa native memory xatosi attackerga instruction flow’ni boshqarish imkonini berishi mumkin.
ASLR, DEP va stack protection exploitni qiyinlashtiradi, ammo patchning o‘rnini bosmaydi.
File upload
Server upload qilingan faylni web root yoki executable pathga saqlasa attacker script yoki binary’ni ishga tushirishga urinishi mumkin.
Himoya:
- object storage;
- random nom;
- executable permission yo‘q;
- content validation;
- web rootdan tashqarida saqlash;
- image re-encoding;
- allowlist.
Template va expression
User input template yoki expression sifatida evaluate qilinsa server-side code bajarilishi mumkin.
Dynamic expression kerak bo‘lmasa evaluation ishlatilmaydi.
User yaratgan formula alohida cheklangan language va sandboxda bajariladi.
Initial accessdan keyin
RCE muvaffaqiyatli bo‘lsa attacker:
- reverse shellga o‘xshash access;
- credential theft;
- persistence;
- lateral movement;
- data exfiltration;
- ransomware;
- cryptomining
uchun keyingi bosqichlarni bajarishi mumkin.
Security monitoring faqat dastlabki requestni emas, keyingi process va network behaviorini ham kuzatadi.
Process privilege
Application minimal OS user sifatida ishlaydi.
U:
ga keraksiz access olmasligi kerak.
Least privilege RCE ta’sirini cheklaydi.
Container cheklovi
Container RCE’ni avtomatik xavfsiz qilmaydi.
Attacker container ichidagi data va credentiallarni olishi mumkin.
Privileged container, host mount yoki container runtime socket mavjud bo‘lsa hostga ta’sir ehtimoli oshadi.
Seccomp, capability va read-only filesystem yordam beradi.
Network segmentation
Compromised application ichki tarmoqdagi barcha service’ga kira olmasligi kerak.
Egress va east-west policy:
ga accessni cheklaydi.
RCEdan keyingi lateral movement qiyinlashadi.
Detection
Indikatorlar:
- web processdan shell yoki system utility ishga tushishi;
- noma’lum child process;
- outbound connection;
- yangi file;
- privilege change;
- cron yoki service yaratilishi;
- g‘ayrioddiy interpreter;
- application error va exploit pattern.
Endpoint va application loglari bir trace bilan bog‘lanadi.
Patch
Vendor fix mavjud bo‘lsa riskga qarab tez o‘rnatiladi.
Patch darhol mumkin bo‘lmasa:
- zaif feature’ni o‘chirish;
- endpointni yopish;
- WAF virtual patch;
- network allowlist;
- process isolation;
- monitoringni kuchaytirish
vaqtinchalik choralar bo‘lishi mumkin.
Incident response
RCE gumon qilinganda hostga to‘liq ishonib bo‘lmaydi.
Jarayon:
- containment;
- memory va disk dalillarini saqlash;
- initial requestni topish;
- persistence va credential accessni tekshirish;
- secretlarni rotation qilish;
- ishonchli image’dan tiklash;
- zaiflikni yopish;
- boshqa hostlarda indicator qidirish.
Faqat processni restart qilish yetarli emas.
RCE va ACE
Arbitrary Code Execution local yoki remote bo‘lishi mumkin.
RCE network yoki masofaviy input orqali yuz beradi.
Ba’zi zaifliklar authentication talab qiladi, boshqalari unauthenticated bo‘lishi mumkin.
Risk bahosida access sharti muhim.
Internet exposure
RCE zaif service internetga ochiq bo‘lsa exploit urinishlari public disclosure’dan keyin tez boshlanishi mumkin. Asset inventory qaysi instance tashqi accessga ega ekanini ko‘rsatadi. Patchdan oldin exposure’ni olib tashlash yoki allowlist vaqtinchalik riskni kamaytiradi.
Web shell
Attacker RCEdan keyin web-accessible script qoldirishi mumkin. U oddiy request orqali command bajarishga xizmat qiladi. Web rootdagi yangi yoki o‘zgargan fayllar, g‘ayrioddiy extension va child processlar tekshiriladi.
Secret rotation
Compromised hostdagi environment variable, config, mounted secret va cloud tokenlar oshkor bo‘lgan deb qaraladi. Faqat serverni qayta o‘rnatish yetarli emas; secretlar boshqa ishonchli muhitdan almashtiriladi va eski credential bekor qilinadi.
Detectiondan keyingi vaqt
RCE signali topilgan vaqt hujumning boshlanish vaqti bo‘lmasligi mumkin. Attacker oldinroq access olgan va loglarni o‘zgartirgan bo‘lishi ehtimoli bor. Tahlil credential, process va network tarixini yetarli oldingi davrgacha kengaytiradi.
Build va runtime
Compiler, template builder yoki package hook build serverda code bajarishi mumkin. RCE faqat production web requestidan kelmaydi. CI workerlar ephemeral, minimal secretli va untrusted contributiondan ajratilgan bo‘ladi.
Bog‘liq tushunchalar
Remote Code Execution, Command Injection, Unsafe deserialization, Memory corruption, File upload, Privilege escalation, Sandbox, Container security, Incident response