Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes
Elad Gabay - Wiz.ioPosted 3 Years Ago- Oracle Cloud Infrastructure (OCI) is a similar service to AWS, being a cloud computing provider. Isolated components from other clients is immensely important for security.
- The AWS EC2 equivalent is the OCI compute instance. This is simply a server that is span up to perform operations that the user wants.
- When using a compute instance, you can attach volumes, or disks. The vulnerability is that the volume attachment did not validate that the user had access to it. In particular, this could be done cross account in order to steal sensitive information or modify the volume to escalate privileges.
- To exploit this, an attacker would need to know the OCID of the target volume, which could be brute forced, guessed or found on the internet. It's unreal that these trivial bugs exist on a cloud platform in use today. Personally, these types of issues are unacceptable from a security standpoint, which is why my website is hosted on AWS.
