Oracle Cloud Remote Code Execution Vulnerability on Cloud Shell and Code Editor's integrated services

Tenable Research discovered a Remote Code Execution (RCE) vulnerability (now remediated) in Oracle Cloud Infrastructure’s (OCI) Code Editor - a service designed for developers working within Oracle’s Cloud Shell ecosystem. By chaining together subtle misconfigurations, we demonstrated how an attacker could silently 1-click hijack a victim’s Cloud Shell environment and potentially pivot across OCI services. Attackers could also abuse the vulnerability to exploit Code Editor’s integrated services such as Resource Manager, Functions and Data Science.

The vulnerability is achieved through CSRF (Cross-site request forgery) on the Cloud Shell’s router domain. By abusing the vulnerability, attackers can deploy or overwrite the victim’s Cloud Shell files with a malicious payload to then take over the victim’s service.

Attack details:

1. The router upload works with cookie authentication, and the “CS-ProxyChallenge” cookie’s same-site attribute is set to None under the router.cloudshell.us-ashburn-1.oci.oraclecloud.com domain. The Same-Site attribute is a browser security feature introduced in 2016; its default value is set to "Lax". The purpose of the Same-Site attribute is to protect against cross-origin information leakage/attacks, e.g. cross-site request forgery (CSRF). According to the request for comments (RFC), the "None" value in the Same-Site attribute provides no protection against cross-origin attacks.
2. The upload works with a multipart/form-data content type which is one of the 3 content types accepted by the browser for a cross-origin request.
3. The request is an http “POST” request which is also valid by the browser with a cross-origin request, and does not require any additional custom headers.
4. With this kind of an http request and not any additional defenses against a cross-origin/CSRF attack, attackers can abuse this request to upload malicious files to Cloud Shell on behalf of the victim.

Steps to reproduce:

1. Host a server
2. Create a malicious HTML file that sends a request with javascript to the vulnerable file-upload endpoint  (see our example code below)
3. The authenticated victim navigates to your payload on the hosted server then works with Oracle’s Cloud Shell regularly 
4. The .bashrc file runs on shell initialization and you can run code on the victim’s Cloud Shell
5. Optional: use the OCI CLI to abuse the correlated Oracle Cloud’s identity and laterally move to other cloud services

POC code:

We are publishing this report ahead of Oracle’s scheduled July CPU as we have observed and confirmed with Oracle that the issue is fixed.