Jake Charman

Resident Geek of Nitrous Junkie Racing



What Remote Code Execution Is And Why You Should Care…

Mon 29 Aug 2016


You may remember a while ago in Windows, a but was discovered that dated all the way back to the days of Windows 9x and even 1.x concerning a hole in the SAM database that allowed remote code execution with elevated privileges.

Many people who I spoke to about this replied the same thing, something along the lines of “it can’t be that bad, nobody’s noticed it over the years”. But remote code execution is very serious, more than many realise.
I’m going to explain this using Linux, I tried with Windows but there’s no real way to visualise it so it all gets a touch confusing. My distro of choice is Debian so the commands I use will be Debian ones, sorry Arch fans.
Remote code execution alone is bad but elevated privileges is the real issue here.
rm -rf /* 
Anyone who’s been near Linux should recognise that line, it basically means, erase the entire computer and don’t question it. 
If a bug such as the one in Windows was present in the Linux kernel, it would be possible for anyone smart enough to gain access to run this command. However, the system will try to protect itself and will refuse to carry out the command since delete permission on / is reserved for root. Root being the superuser in Linux, comparable to the built-in Administrator account in Windows. However, the Windows bug allowed elevation, meaning that instead of
user@buggylinux:/$ rm -rf /*
Permission denied.
user@buggylinux:/$
Our new scenario would be 
root@buggylinux:/$ rm -rf /*
root@buggylinux:/$
And the entire system has now been erased. If the attacker was feeling particularly evil he/she could also run 
shutdown -r 
To give the user no chance of recovery.

Now, obviously, if you’re using Linux the likelihood is that you understand this, but what about the average Windows user?

The fact is that most Windows users probably didn’t even hear of the issue (since they weren’t around TechNet and other IT pro sites at the time) And just saw yet another annoying software update to dismiss. Not to mention the many users (including myself) who are still running older versions of Windows 9x and XP. In fact, this list is a long one:

1.0
3.0
3.1
95
95 IE
95 Plus
98
98 Lite
98 SE
98 Plus
2000
2000 ME
XP
XP SP1
XP SP2
XP SP3
Vista
Vista SP1

Plus some more that I’ve doubtless missed.

Aren’t going to get an update at all unless they buy a new edition of Windows or hack the registry of their current install leaving many users unaware that their computers may well be accessed by an attacker using the bug allowing remote code execution with elevated privileges.

So, in short, if you;re no bored already, these bugs allow users to run code unnoticed on a PC with full privileges and without the user’s permission. Possibly allowing keylogging, data encryption, botnets and thousands of other rather nasty things.