Oracle Cloud Code Editor 1-Click RCE Vulnerability Allows Remote Shell Access via Malicious File Upload

A critical Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure’s (OCI) Code Editor that enabled attackers to silently hijack users’ Cloud Shell environments through a single malicious webpage visit.

The vulnerability, now remediated by Oracle, exploited a Cross-Site Request Forgery (CSRF) vulnerability that allowed unauthorized file uploads to victims’ cloud environments, potentially compromising integrated services including Resource Manager, Functions, and Data Science platforms.

The vulnerability emerged from Code Editor’s tight integration with OCI’s Cloud Shell environment, where both services share the same underlying file system and user session context.

Researchers initially focused on Cloud Shell’s security posture but discovered that Code Editor introduced additional attack surfaces through its browser-based interface.

Unlike Cloud Shell’s secure upload process, Code Editor exposed a vulnerable /file-upload endpoint that lacked proper CSRF defenses.

The critical vulnerability centered on the Cloud Shell router (router.cloudshell.us-ashburn-1.oci.oraclecloud.com), which accepts HTTP POST requests containing multipart/form-data payloads for file operations.

Researchers identified that the CS-ProxyChallenge authentication cookie was configured with a SameSite=None attribute, providing no protection against cross-site requests.

This configuration created a perfect storm where any website could trigger the endpoint on behalf of authenticated users without additional security headers or custom authentication requirements.

1-Click RCE Vulnerability

The exploitation path demonstrated how attackers could achieve remote code execution through seemingly innocent web interactions.

Francisco J. Alvarez Rabanal, Cloud Platform Solution Architect at Oracle, showed the functionality in a LinkedIn post when the capability was announced in 2022.

The attack sequence involved hosting a malicious HTML file containing JavaScript that automatically sends POST requests to the vulnerable endpoint when visited by authenticated OCI users.

The malicious payload could overwrite critical system files like .bashrc, establishing persistent access to the victim’s Cloud Shell environment.

The proof-of-concept attack showcased uploading malicious shell code that executed when victims next initialized Cloud Shell, providing attackers with interactive access to execute commands and leverage the victim’s Oracle Cloud Identity for lateral movement using the OCI CLI.

The shared file system architecture meant that compromised files immediately became accessible across all integrated services, creating a chain reaction where attackers could potentially tamper with Resource Manager workspaces, deployed Functions, or Data Science environments.

Oracle Implements Header-Based Protection

In response to Tenable’s disclosure, Oracle addressed the vulnerability by implementing mandatory custom HTTP headers for all relevant requests.

The remediation requires all requests to include an x-csrf-token header with the value csrf-value, effectively blocking unauthorized cross-origin requests that cannot include custom headers without proper CORS configuration.

This mitigation strategy leverages browsers’ default security behavior, where JavaScript from one origin cannot set arbitrary custom headers for cross-origin requests unless explicitly enabled by the target server.

The requirement ensures that only properly authenticated requests generated from within the Oracle Cloud environment are accepted, preventing the previously exploitable CSRF behavior.

The vulnerability highlights the security implications of cloud service integrations, where seemingly isolated environments can introduce unexpected attack vectors.

As cloud platforms continue expanding integrated development environments, this incident underscores the importance of comprehensive security assessments that consider the full ecosystem of interconnected services rather than individual components in isolation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.