In computer security, arbitrary code execution is an attacker's ability to execute arbitrary commands or code on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.
Vulnerability types
There are a number of classes of vulnerability that can lead to an attacker's ability to execute arbitrary commands or code.
Arbitrary code execution is commonly achieved through control over the instruction pointer of a running process. The instruction pointer points to the next instruction in the process that will be executed. Control over the value of the instruction pointer therefore gives control over which instruction is executed next. In order to execute arbitrary code, many exploitsinject code into the process and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed. This type of attack exploits the fact that most computers do not make a general distinction between code and data, so that malicious code can be camouflaged as harmless input data. Many newer CPUs have mechanisms to make this harder, such as a no-execute bit.
On its own, an arbitrary code execution exploit will give the attacker the same privileges as the target process that is vulnerable. For example, if exploiting a flaw in a web browser, an attacker could act as the user, performing actions such as modifying personal computer files or accessing banking information, but would not be able to perform system-level actions. To work around this, once an attacker can execute arbitrary code on a target, there is often an attempt at a privilege escalation exploit in order to gain additional control. This may involve the kernel itself or an account such as Administrator, SYSTEM, or root. With or without this enhanced control, exploits have the potential to do severe damage or turn the computer into a zombie—but privilege escalation helps with hiding the attack from the legitimate administrator of the system. Combining exploits in this way is called an exploit chain. An arbitrary remote code execution with privilege escalation vulnerability in widely deployed software is considered to be the most severe class of computer vulnerability.
Examples
hobbyists have managed to find vulnerabilities in classic video games that allow them to execute arbitrary code, usually using a precise sequence of button inputs in order to cause a buffer overflow, allowing them to write to protected memory. At Awesome Games Done Quick 2014, a group of speedrunning enthusiasts managed to code and run versions of the games Pong and Snake in a copy of Super Mario World by utilizing a buffer overflow to write arbitrary code to memory. On June 12, 2018, security researcher Jean-Yves Avenard of Mozilla discovered an ACE vulnerability in Windows 10. On May 1, 2018, a security researcher discovered an ACE vulnerability in the 7-Zipfile archiver. PHP has been the subject of numerous ACE vulnerabilities.