How does 'arbitrary code' exploit a device?

We frequently hear about malware that can execute "arbitrary code." Can you explain what arbitrary code is and give some examples of it? Does this code already exist on the device or is it downloaded illicitly? Does this execution of arbitrary code enable high-level privileges, file exposure, theft, etc.?

That's a great question! When a particular vulnerability allows an attacker to execute "arbitrary code", it typically means that the bad guy can run any command on the target system the attacker chooses. This could mean that the attacker triggers code already on the box, invoking a program or DLL by exploiting the vulnerability. Alternatively, the attacker could trigger the vulnerability to load his/her own code on the box and then run it. In a sense, these two operations are really pretty much the same thing. The vulnerability lets attackers execute stuff on the box, and that's what's important. An attacker may choose to execute stuff already there if it suits their purposes or load their own attack code in their exploit and then run it. Either way, the attacker wins.

What kinds of "arbitrary code" will the attacker typically run? Well, the sky's the limit here. The attacker could get a simple directory listing by executing the "dir" command on Windows or an "ls" on Linux/Unix. That way, the bad guy can navigate and examine your file system. Alternatively, the attacker could run commands to delete files, launching a data destruction and/or denial-of-service-attack. The attacker could also steal data, downloading sensitive files. Sometimes, attackers run commands to reconfigure the system in order to open up access. They might even execute commands so that the victim machine loads a remotely accessible backdoor.

Perhaps one of the most powerful techniques the bad guys use involves loading some code onto the victim machine that binds a command shell to a TCP or UDP port listening on the network. Then, by triggering the vulnerability to execute this backdoor shell listener, the attacker has remote access to the box via a command shell. After connecting to this network listening shell, he or she can execute a series of commands remotely.

The arbitrary commands executed by the bad guy will typically run with the privileges and context of the vulnerable program. If you have a vulnerable e-mail reader, for example, the attacker can run commands as the user of that e-mail reader. If your Web server is vulnerable, the attacker gets its permissions.

Of course, attackers like to have the highest level of access possible, so they really want to find vulnerable programs that run as root on Unix, or Administrator or SYSTEM on Windows. It's even better for them to find flaws in the underlying kernel itself, because then they are running at the heart of the operating system. And, it just so happens that in the past three weeks, attackers have found flaws in both the Windows XP and Linux kernels. Ouch! Make sure you keep your systems diligently patched!

For more info on this topic, please visit these resources:

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing