Top 25 RCE Bug Bounty Reports
In this article, we will discuss Remote Code Execution (RCE) vulnerability, how to find one and present 25 disclosed reports based on this issue.
What is RCE?
RCE stands for Remote Code Execution and it is a vulnerability in which an attacker can execute malicious code or commands on a target machine. A Remote Code Execution can occur because of many reasons such as bad memory handling (buffer overflows), weak web application back-end code (PHP) or deserialization issues. The exploitation goal of a Remote Code Execution is to gain local access to a specific host machine.
Types of RCE
- Blind RCE: The output of the command/code executed will not be displayed in the response. A best practice to validate a Blind Remote Code Execution is to execute the sleep command and check if the application actually sleeps for a specified time before returning the response, or even a reverse shell but probably this will be against the bug bounty program policies because companies dislike the fact that someone is playing inside their network/systems where confidential data resides.
- Generic RCE: The output of the command/code executed is returned in the response. An echo or whoami commands are enough to validate this type of Remote Code Execution.
How to find an RCE in a Bug Bounty Program
There are two common situations where a Remote Code Execution can occur:
- Direct Execution: when the command/code is executed directly as part of the user-supplied input. In order to find a Direct Remote Code Execution, test every user input, URL parameters values, headers values and more mechanisms that are used to execute commands on the back-end.
- Indirect Execution: when the data that resides on an external source is used to execute a command/code. To test for an Indirect Remote Code Execution, check the code or data from files that are used to execute back-end commands, check the upload functions, environment variables and so on.
Top 25 RCE Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Potential pre-auth RCE on Twitter VPN
Company: Twitter
Bounty: $20,160
#2
Title: RCE on Steam Client via buffer overflow in Server Info
Company: Valve
Bounty: $18,000
#3
Title: Struct type confusion RCE
Company: Shopify
Bounty: $18,000
#4
Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
Company: Valve
Bounty: $12,500
#5
Title: Git flag injection — local file overwrite to remote code execution
Company: GitLab
Bounty: $12,000
#6
Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload
Company: SEMrush
Bounty: $10,000
#7
Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message
Company: Valve
Bounty: $9,000
#8
Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)
Company: LocalTapiola
Bounty: $6,800
#9
Title: Remote Code Execution at http://tw.corp.ubnt.com
Company: Ubiquiti Inc.
Bounty: $5,000
#10
Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability
Company: Flash (IBB)
Bounty: $5,000
#11
Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
Company: Imgur
Bounty: $5,000
#12
Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
Company: Starbucks
Bounty: $4,000
#13
Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File
Company: Mail.ru
Bounty: $4,000
#14
Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
Company: Starbucks
Bounty: $4,000
#15
Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Company: Shopify
Bounty: $3,000
#16
Title: Unchecked weapon id in WeaponList message parser on client leads to RCE
Company: Valve
Bounty: $3,000
#17
Title: Drupal 7 pre auth sql injection and remote code execution
Company: The Internet Bug Bounty Program
Bounty: $3,000
#18
Title: RCE via ssh:// URIs in multiple VCS
Company: The Internet Bug Bounty Program
Bounty: $3,000
#19
Title: Remote Code Execution on Git.imgur-dev.com
Company: Imgur
Bounty: $2,500
#20
Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability]
Company: PHP (IBB)
Bounty: $1,500
#21
Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE
Company: Lob
Bounty: $1,500
#22
Title: Remote code execution using render :inline
Company: Ruby on Rails
Bounty: $1,500
#23
Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)
Company: Ruby on Rails
Bounty: $1,500
#24
Title: Remote code execution on rubygems.org
Company: RubyGems
Bounty: $1,500
#25
Title: WordPress SOME bug in plupload.flash.swf leading to RCE
Company: Automattic
Bounty: $1,337
Bonus: 10 Zero Dollars RCE Reports
#1 Bonus
Title: Read files on application server, leads to RCE
Company: GitLab
Bounty: $0
#2 Bonus
Title: XXE in DoD website that may lead to RCE
Company: U.S. D.o.D.
Bounty: $0
#3 Bonus
Title: Remote Code Execution (RCE) in a DoD website
Company: U.S. D.o.D.
Bounty: $0
#4 Bonus
Title: Remote Unrestricted file Creation/Deletion and Possible RCE.
Company: Twitter
Bounty: $0
#5 Bonus
Title: RCE on █████ via CVE-2017–10271
Company: U.S. D.o.D.
Bounty: $0
#6 Bonus
Title: Ability to access all user authentication tokens, leads to RCE
Company: GitLab
Bounty: $0
#7 Bonus
Title: Remote Code Execution via Extract App Plugin
Company: Nextcloud
Bounty: $0
#8 Bonus
Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Company: U.S. D.o.D.
Bounty: $0
#9 Bonus
Title: Remote Code Execution in Rocket.Chat Desktop
Company: Rocket.chat
Bounty: $0
#10 Bonus
Title: [npm-git-publish] RCE via insecure command formatting
Company: Node.js third-party modules
Bounty: $0
I hope this article was helpful and I would like to thank you for your attention!
