Vulnerability in Microsoft SharePoint Connector on Power Platform

Disclosed Details

Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform. This vulnerability, if successfully exploited, could allow threat actors to harvest a user’s credentials and stage follow-on attacks.

Impact of the Vulnerability

The vulnerability is an instance of server-side request forgery (SSRF) stemming from the use of the "custom value" functionality within the SharePoint connector that permits an attacker to insert their own URLs as part of a flow. This allows the attacker to send requests to the SharePoint API on behalf of the impersonated user, enabling unauthorized access to sensitive data.

Exploitation of the Vulnerability

The vulnerability can be exploited across Power Automate, Power Apps, Copilot Studio, and Copilot 365, which significantly broadens the scope of potential damage. The attacker needs to have an Environment Maker role and the Basic User role in Power Platform to exploit the vulnerability. This also means that they would need to first gain access to a target organization through other means and acquire these roles.

Attack Scenario

In a hypothetical attack scenario, a threat actor could create a flow for a SharePoint action and share it with a low-privileged user (read victim), resulting in a leak of their SharePoint JWT access token. Armed with this captured token, the attacker could send requests outside of the Power Platform on behalf of the user to whom access was granted.

Extension of the Vulnerability

The vulnerability could be extended further to other services like Power Apps and Copilot Studio by creating a seemingly benign Canvas app or a Copilot agent to harvest a user’s token, and escalate access further. The attacker could also embed the Canvas app into a Teams channel, for example, to expand their reach across the organization and make the attack even more widespread.

Conclusion

The interconnected nature of Power Platform services can result in serious security risks, especially given the widespread use of the SharePoint connector, which is where a lot of sensitive corporate data is housed. It can be complicated to ensure proper access rights are maintained throughout various environments.

Related Vulnerabilities

Binary Security recently detailed three SSRF vulnerabilities in Azure DevOps that could have been abused to communicate with the metadata API endpoints, thereby permitting an attacker to glean information about the machine’s configuration.

Stay Informed

Follow us on Twitter and LinkedIn to read more exclusive content we post.

References

• Microsoft SharePoint Connector on Power Platform
• Server-Side Request Forgery (SSRF)
• Environment Maker role
• Basic User role
• Power Automate
• Power Apps
• Copilot Studio
• Copilot 365
• Azure DevOps
• Metadata API endpoints