# AT&T Arbitrary Code Execution Vulnerability

Recently, I found an interesting issue Remote Code Execution for AT&T  bug bounty program.

But before going into this let’s understand **Arbitrary Code Execution** –

**Arbitrary Code Execution also know as command injection,** is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.

The issue was reported on October 21, 2014 to AT&T Security Team.  
Resolved on Jan 27, 2015 by AT&T

The issue that I found was straightforward and needs no explanation

![:)](https://web.archive.org/web/20150521061014im_/http://i0.wp.com/avsecurity.in/wp-includes/images/smilies/icon_smile.gif?w=625 align="center")

I was able to execute the OS level command on the System below is the step wise screenshot of the Attack.

**Step 1- Affected Page**

![Step 1: Submit Request](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/68f313b2-6da3-4d3d-b07f-3e17e60a7f1d.png align="center")

![Step 2 Capture Request](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/fb80f7c1-5646-4f2e-aff7-e823b0f44e0b.png align="center")

![Step 3 Highlighted vulnerable parameter](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/fca56d51-4b91-4948-8e53-9eef1fcbf8ce.png align="center")

![Step 4 Modified password to execute code](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/e5cfd4cc-82b7-4ef3-a051-cadb19b7f0b8.png align="center")

![step 5 code execution successful](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/25a61b8b-b0f9-4183-a1b8-ec22765ae8b4.png align="center")

![Response from AT&T Team](https://cdn.hashnode.com/uploads/covers/610864c6b97c436d241be637/726c9469-6d16-4d75-9079-d0bb6f061960.png align="center")
