Cyber Security researchers disclose the details of the vulnerabilities that have been patched now, which affect Microsoft’s SharePoint connector, so that threat actors can harvest user qualifications and the subsequent attacks on the stage. can.
According to Zenity Labs, this is the form of an explosion that enables attackers to provide unauthorized access to sensitive data and send requests to SharePoint API on behalf of a phenomenal user. He said in a report shared with hacker news before publication. 。
“This vulnerability can be used through Power Automate, Power Apps, Copilot Studio, and Copilot 365, greatly expanding the potential damage.”
“Increasing the possibility that the attack will succeed, and the hacker can target multiple interconnected services within the power platform eco system.”
Following the responsible disclosure in September 2024, Microsoft has worked on a security hole, which was evaluated for “important” significant evaluation as of December 13.
Microsoft Power Platform is a collection of low -code development tools that can be analyzed, processed, and promote data -driven productive applications.
The vulnerabilities are instances of server requests (SSRF) on the center of the “custom value” function in the SharePoint connector so that the attacker can insert its own URL as part of the flow. is.
However, in order for the attack to succeed, Rogue users need to play the role of environmental manufacturers and the basic user in Power Platform. This also means that you need to first access the target organization through other means and get these roles.
“Depending on the role of environmental manufacturers, you can create and share malicious resources such as apps and flows,” Zenity told Hacker News. “Depending on the role of the basic user, you can execute the app and interact with the resources owned by the power platform. If the attacker does not have these roles yet, you need to gain first.”
In the hypothetical attack scenario, threat actors may create a flow for SharePoint action, share it with modest users (read victims), and bring a leak in SharePoint JWT Access token.
Attackers armed with this captured token can send requests outside the power platform on behalf of users who have accessed access.
That’s not all. The vulnerability is even more for other services such as Power Apps and Copilot Studio by creating a seemingly good canvas application or user token and further escalating to the token of the user’s tokens. Can be expanded.
“For example, by embedding a Canvas app on the Teams channel, you can further raise it,” says Zenity. “When the user interacts with the team’s app, the token can easily be harvested, the reach overall, and the attack can be further wider.”
“The main point is that, considering the extensive use of the SharePoint connector that contains many delicate corporate data, the interconnected properties of the power platform service can cause serious security risks. However, it is maintained in various environments.
In this development, binary security may have been abused to communicate with the metadata API endpoint, which may have been abused in detail the three SSRF vulnerabilities of Azure DevOps, which caused the attacker to the machine composition. You can now collect.
Source link
