Tenable Research has uncovered a significant Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure’s Code Editor that could allow attackers to silently hijack users’ Cloud Shell environments through a simple one-click attack.
The vulnerability, which has since been remediated by Oracle, exploited a Cross-Site Request Forgery (CSRF) weakness in the file upload mechanism, potentially enabling attackers to pivot across multiple OCI services, including Resource Manager, Functions, and Data Science platforms.
Discovery Reveals Critical Integration Weakness
The vulnerability stemmed from Oracle Code Editor’s tight integration with Cloud Shell, where both services share the same underlying file system and user session context.
Tenable researchers discovered that while Cloud Shell’s direct file upload mechanism appeared secure, the Code Editor exposed a vulnerable /file-upload endpoint that lacked proper CSRF defenses.
This endpoint, located at router.cloudshell.us-ashburn-1.oci.oraclecloud.com, accepted HTTP POST requests containing multipart/form-data payloads without adequate cross-origin protection.
The critical flaw lay in the CS-ProxyChallenge cookie configuration, which used a SameSite=None attribute.
This setting did not protect cross-site requests, meaning any malicious website could trigger the vulnerable endpoint on behalf of authenticated OCI users.
As researchers noted, this created “a perfect storm” where cross-origin POST requests were accepted, multipart/form-data was allowed, and no additional custom headers were required for authentication.
Technical Exploitation Path Demonstrated
The attack vector proved remarkably simple yet devastating. Researchers developed a proof-of-concept that demonstrated how an attacker could host a malicious HTML file containing JavaScript that would silently upload files to a victim’s Cloud Shell environment.
The exploitation process involved crafting HTTP requests that could overwrite critical system files like .bashrc:
textPOST /file-upload HTTP/1.1
Host: router.cloudshell.us-ashburn-1.oci.oraclecloud.com
Cookie: CS-ProxyChallenge=<base64_cookie>
Content-Type: multipart/form-data; boundary=----randomboundary
Content-Disposition: form-data; name="uri"
file:///home/username/.bashrc
Content-Disposition: form-data; name="file"; filename=".bashrc"
Content-Type: text/plain
<malicious shell code>
The payload could establish reverse shells, allowing attackers to execute commands and leverage the victim’s Oracle Cloud Identity for lateral movement using the OCI CLI.
Beyond Cloud Shell, the vulnerability extended to Code Editor’s integrated services, as malicious code could be injected into deployed Functions or Resource Manager workspaces, creating a multi-surface threat across OCI developer tools.
Oracle Implements CSRF Protection Fix
Oracle responded to the vulnerability disclosure by implementing additional security measures, specifically requiring a custom HTTP header x-csrf-token With the value csrf-value for all relevant requests.
This mitigation strategy effectively blocks unauthorized cross-origin requests, as browsers cannot automatically include arbitrary custom headers in cross-site requests without proper CORS configuration.
The fix leverages the fundamental security principle that JavaScript from one origin cannot set custom headers for cross-origin requests unless explicitly enabled by the target server, thus preventing the previously exploitable CSRF behavior.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability, which has since been remediated by Oracle, exploited a Cross-Site Request Forgery (CSRF) weakness in the file upload mechanism,){kind=link}