Code injections occur when applications allow the dynamic execution of code instructions from untrusted data.
An attacker can influence the
behavior of the targeted application and modify it to get access to sensitive data.
What is the potential impact?
An attacker exploiting a dynamic code injection vulnerability will be able to execute arbitrary code in the context of the vulnerable
application.
The impact depends on the access control measures taken on the target system OS. In the worst-case scenario, the process that executes the code
runs with root privileges, and therefore any OS commands or programs may be affected.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Denial of service and data leaks
In this scenario, the attack aims to disrupt the organization’s activities and profit from data leaks.
An attacker could, for example:
- download the internal server’s data, most likely to sell it
- modify data, send malware
- stop services or exhaust resources (with fork bombs for example)
This threat is particularly insidious if the attacked organization does not maintain a disaster recovery plan (DRP).
Root privilege escalation and pivot
In this scenario, the attacker can do everything described in the previous section. The difference is that the attacker also manages to elevate
their privileges to an administrative level and attacks other servers.
Here, the impact depends on how much the target company focuses on its Defense In Depth. For example, the entire infrastructure can be compromised
by a combination of code injections and misconfiguration of:
- Docker or Kubernetes clusters
- cloud services
- network firewalls and routing
- OS access control
