Analysis Summary

A recently discovered critical Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor exposed a major security flaw that allowed attackers to hijack victim Cloud Shell environments with just a single click. This flaw stemmed from the seamless integration between Code Editor and Cloud Shell, which share the same file system and user session. While this integration was meant to enhance the developer experience, it inadvertently introduced a significant attack surface, enabling unauthorized file uploads through the Code Editor's /file-upload endpoint without proper Cross-Site Request Forgery (CSRF) protection.

Security researchers identified the vulnerability after questioning whether Code Editor's file upload mechanism could be exploited by attackers in the same way developers use it. Their findings revealed that the /file-upload endpoint did not implement CSRF defenses, unlike the properly secured upload method in Cloud Shell. The root of the issue was a router component (router.cloudshell.us-ashburn-1.oci.oraclecloud.com) that accepted HTTP POST requests with multipart/form-data payloads while using a CS-ProxyChallenge cookie with the insecure SameSite=None attribute. This allowed cross-origin requests from authenticated users to be processed without restriction.

The exploitation process was alarmingly simple. Attackers could craft malicious HTML pages that, when visited by a logged-in OCI user, would automatically upload malicious files to the user's Cloud Shell without consent or awareness. In practice, this enabled attackers to overwrite key configuration files like .bashrc to initiate reverse shells, effectively giving them interactive access to the victim’s Cloud Shell. From there, attackers could leverage the victim’s OCI credentials through the CLI for lateral movement, affecting other services like Resource Manager, Functions, and Data Science services, all sharing the same underlying file system.

Oracle has since remediated the vulnerability by requiring a custom HTTP header (x-csrf-token: csrf-value) in all relevant requests, a measure that browsers cannot send in cross-origin requests without appropriate CORS permissions. This effectively blocks unauthorized CSRF attempts. However, the incident underscores a broader challenge in cloud security: deeply integrated services, while beneficial for usability, can inadvertently create expansive attack surfaces. It serves as a cautionary example for all cloud providers on the importance of isolating sensitive operations and rigorously enforcing cross-origin security controls.

Impact

• Remote Code Execution
• Unauthorize Access

Remediation

• Oracle added mandatory CSRF protection by enforcing the use of a custom HTTP header x-csrf-token: csrf-value for all file upload requests.
• The new CSRF token mechanism prevents browsers from sending cross-origin requests unless explicitly allowed, mitigating silent file uploads.
• The vulnerability in the /file-upload endpoint was patched to block unauthorized access from third-party sites.
• Oracle reviewed and hardened the integration between Code Editor and Cloud Shell to prevent shared session abuse.
• Security improvements were extended across all integrated services (Resource Manager, Functions, Data Science) to ensure consistent protection.
• Developers and users are encouraged to audit their .bashrc or other startup configuration files for unauthorized modifications.
• Organizations should monitor Cloud Shell activity and review recent file uploads for potential exploitation prior to the patch.
• Customers are advised to apply least privilege principles and rotate any compromised credentials as a precaution.