Another Microsoft 365 Copilot SSRF
Vunlerablility description
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Microsoft 365 Copilot. This vulnerability occurs when an attacker creates an agent with a controlled API endpoint in the action definition. The URL provided by the attacker is not properly sanitized, allowing the attacker to use the internal IP address 169.254.169.254 as the target. This can result in the leakage of access token credentials of the virtual machine (VM) running the code.
Impact: Exploitation of this vulnerability can lead to unauthorized access to sensitive information, including machine access tokens, which can be used to gain further access to the system and potentially compromise other resources.
Steps to reproduce
Requirements:
- Install Teams Toolkit plugin in VSCode to provision the new agent.
- A Microsoft account with privileges to upload new Copilot agent
Steps:
- Step 1: Open the agent code StockTTK in VSCode. Make sure the OpenApi file appPackage\apiSpecificationFile\openapi.yaml has target 169.354.169.254 in url field.
- Step 2: Open the Teams Toolkit and start provision the agent
- Step 3: Open Microsoft 365 Copilot by go to https://m365.cloud.microsoft/chat. Remember to reload to load the new agent.
- Step 4: Open chat with the StockTTK by click it on the agents list
- Step 5: Enable developer mode -developer on
- Step 6: Ask the agent to do something like Show me the NVDA values in the 7 last days
- Step 7: Observe that the response of the SSRF attack in the detailed debug messsage. It include the requested acccess_token
POC
I’m to lazy to upload the poc so you can get the base from here (https://github.com/davrous/StockTTK) and change the value of the endpoint API.