Read the original article here.

---

The Forbidden Code: Understanding Arbitrary Code Execution (ACE)

In the realm of underground programming and system manipulation, few capabilities are as powerful and sought-after as Arbitrary Code Execution (ACE). Forget the standard curriculum; ACE is about making a computer system do your bidding, running code you supply, completely outside the bounds of its intended operation. This is a cornerstone concept for anyone looking to truly understand how software can be bent to unconventional purposes, whether for security research, exploit development, or simply pushing the boundaries of what's possible.

What is Arbitrary Code Execution?

At its core, Arbitrary Code Execution gives an attacker ultimate control over a vulnerable system's execution flow.

Arbitrary Code Execution (ACE): The ability for an attacker to run any commands or code of their choosing on a target machine or within a specific target process. This means the attacker can dictate what instructions the computer processor executes, effectively taking control of the program's behavior.

Imagine a program designed to process images. An ACE vulnerability could allow someone to send a specially crafted image file that, instead of being processed normally, triggers the execution of malicious code embedded within the file or retrieved from a remote source.

Remote Code Execution (RCE)

When ACE can be achieved over a network, especially the public internet, it's given a specific designation:

Remote Code Execution (RCE or RCX): Arbitrary Code Execution triggered across a network connection. This is often considered more critical than local ACE as it allows attackers to compromise systems without physical access or prior local privileges.

RCE is the Holy Grail for many attackers because it provides a pathway to compromise systems remotely and at scale. A single RCE vulnerability in a widely used application or service can expose millions of systems to potential attack.

ACE Vulnerabilities and Exploits

How is ACE achieved? It requires a specific weakness in software or hardware.

Arbitrary Code Execution Vulnerability: A security flaw or bug in software or hardware that, if exploited, allows an attacker to achieve arbitrary code execution. These are the cracks in the system's foundation that "forbidden code" techniques leverage.

Arbitrary Code Execution Exploit: A program, script, or technique specifically designed to take advantage of an ACE vulnerability. An exploit is the how – the sequence of actions or the specially crafted input that triggers the vulnerability and leads to code execution.

The existence of ACE vulnerabilities highlights a fundamental tension in computer design, particularly in traditional architectures like the Von Neumann model.

Von Neumann Architecture: A computer architecture where instructions (code) and data are stored in the same memory space. This design, while efficient, means that malicious data can potentially be misinterpreted or manipulated to be executed as code, forming the basis for many ACE techniques.

This lack of strict separation between data and instructions is a feature that can be weaponized. Newer processor technologies include features like the No-Execute (NX) bit or Data Execution Prevention (DEP) to make this harder by marking certain memory regions as non-executable, but creative exploitation techniques often find ways around these defenses.

How is ACE Achieved? Manipulating the Instruction Pointer

The primary method for achieving arbitrary code execution is by gaining control of the program's instruction pointer.

Instruction Pointer (also known as Program Counter or PC): A register in the computer's central processing unit (CPU) that stores the memory address of the next instruction to be executed. The CPU fetches instructions from memory locations pointed to by the instruction pointer and then updates it to point to the subsequent instruction.

Normally, the instruction pointer follows a predictable path through the program's legitimate code. An ACE exploit's goal is to hijack this flow and redirect it to the attacker's code.

Here's the typical sequence:

1. Code Injection: The attacker finds a way to inject their malicious code (often called "shellcode" in exploit development) into the memory space of the vulnerable process. This is frequently done by sending the code disguised as input data (e.g., part of a network packet, a file upload, or even user input that exceeds a buffer). The injected code resides temporarily in memory regions typically designated for data, like input buffers or the program stack/heap.
2. Instruction Pointer Hijacking: The attacker exploits a vulnerability to overwrite or manipulate a pointer or return address that the program will eventually use to decide the next instruction to execute. The goal is to make this pointer or return address point to the memory location where the injected malicious code resides.
3. Execution: When the program reaches the point where it uses the manipulated pointer or return address, it jumps to the attacker's injected code and begins executing it.

This simple yet profound technique allows an attacker to detour the program's execution path from its intended function to their own malicious payload.

Common Vulnerability Types Leading to ACE

Numerous types of software flaws can open the door to arbitrary code execution. Understanding these is key to both finding vulnerabilities and defending against them.

• Memory Safety Vulnerabilities: These are among the most common pathways to ACE. They involve errors in how a program manages memory, often leading to situations where data can be written or read outside of its designated memory buffer.
  • Buffer Overflows: Writing more data into a fixed-size buffer than it can hold. This can overwrite adjacent memory, potentially including return addresses on the stack or other critical control flow data.
  • Buffer Over-reads: Reading data beyond the end of a buffer. While less directly leading to ACE than overflows, over-reads can sometimes leak sensitive information that aids in crafting an exploit, or in rare cases, read function pointers or other critical control flow data.
• Deserialization Vulnerabilities: Occur when a program deserializes (reconstructs) data from an untrusted source. If the deserialization process is not secure, the attacker can craft malicious serialized data that, when processed, causes the program to instantiate malicious objects or execute arbitrary code. Many modern applications exchange data in serialized formats (like JSON, XML, or binary formats), making this a significant attack vector.
• Type Confusion Vulnerabilities: Happen in languages with complex type systems (like C++). If a program treats an object or data structure as if it were of a different type than it actually is, method calls or data access can lead to unexpected behavior, memory corruption, or control flow hijacking.
• Specific Software/Library Vulnerabilities: Sometimes, ACE vulnerabilities are specific to how certain software or libraries are implemented or used. The mention of GNU ldd likely refers to past vulnerabilities where the dynamic linker (ldd) could be tricked into executing arbitrary code through environment variables or crafted library paths when invoked by a vulnerable application.

The Strategic Advantage: Combining ACE with Privilege Escalation

Simply executing arbitrary code on a system is powerful, but its impact is limited by the privileges of the compromised process.

Privilege Escalation: The act of gaining elevated access or permissions on a system beyond what was initially granted. This can involve moving from a standard user account to an administrator, SYSTEM, or root account, or from a less privileged process to a more privileged one (like the operating system kernel).

An ACE exploit on a web browser process, for example, might allow the attacker to steal cookies, access files the user has permission to read, or even execute other programs as that user. However, it typically wouldn't allow installing system-level malware or modifying core operating system files unless the user themselves had administrative rights and the exploit could leverage that.

To maximize control and persistence, attackers often chain an ACE exploit with a privilege escalation exploit.

1. Initial Compromise (ACE): Achieve arbitrary code execution within a low-privilege process.
2. Code Execution for Escalation: Use the ACE capability to run code that targets a separate privilege escalation vulnerability, potentially in the operating system kernel or a service running with higher privileges.
3. Elevated Control: If successful, the attacker's code now runs with SYSTEM or root privileges, granting full control over the compromised machine, making it easier to hide activities, install backdoors, and access any data.

This combination is a common pattern in advanced persistent threats (APTs) and targeted attacks, turning an initial beachhead into full system compromise.

Real-World Examples and Use Cases

Arbitrary Code Execution is not just a theoretical concept; it's a practical reality that has shaped the landscape of computer security and even niche communities.

• Retro Gaming: Perhaps unexpectedly, the speedrunning and tool-assisted superplay (TAS) communities have become masters of ACE in classic video games. By meticulously crafting button inputs and timing, they can cause buffer overflows or other memory corruption issues in old game engines. This allows them to inject and execute code, often to warp directly to the end of the game, display messages, or even run entirely different programs (like Pong or Snake) within the original game's environment. This demonstrates the fundamental nature of these vulnerabilities, existing even in simple systems, and highlights the creative ways control flow can be manipulated. A notable example is the "credit warp" in Super Mario World speedruns, which exploits a vulnerability to execute code that loads the game's credits early.
• Major Software Vulnerabilities: ACE/RCE vulnerabilities regularly make headlines.
  • 7-Zip: A widely used file archiver, has had ACE vulnerabilities discovered, meaning that simply opening a specially crafted archive file could potentially compromise a system.
  • PHP: As a popular web scripting language, PHP has been subject to numerous ACE vulnerabilities throughout its history, often related to how it handles input, deserialization, or interacts with the file system, posing a significant risk to web servers.
  • Log4Shell (Log4j): The December 2021 RCE vulnerability in the Log4j logging library was described as one of the most critical in a decade. It allowed attackers to achieve RCE on servers running Java applications that used vulnerable versions of Log4j simply by sending a specially crafted string to be logged. This affected countless services globally, including major platforms.

These examples underscore that ACE is a pervasive threat, rooted in the complexities of software development and system architecture.

Conclusion: ACE in the "Forbidden Code" Context

For those exploring the less-traveled paths of programming and system interaction, understanding Arbitrary Code Execution is indispensable. It reveals the underlying mechanics of how software executes and how control flow can be subverted. ACE is not merely a vulnerability type; it's a capability unlocked by a deep understanding of memory layout, processor architecture, programming language internals, and the specific quirks of a target system.

Mastering the concepts behind ACE – from identifying memory safety issues to understanding deserialization flaws and the critical role of the instruction pointer – provides insights into building more robust systems and creatively manipulating existing ones. While often discussed in the context of malicious hacking, the knowledge of ACE is equally vital for defensive security professionals and researchers pushing the boundaries of system control, regardless of the ethical framework. It is, truly, a fundamental piece of the "forbidden code" puzzle.