Full Report
The authors of the post were trying to find SSRF bugs within Microsoft Copilot after finding 2 but recently patched bugs. They found that when providing key phrases it was possible to trigger an internal HTTP request on behalf of the service. Naturally, making HTTP requests is an exciting thing to do! When pointing the IP to Burp Collaborator, they got a ping back. When trying to do this against IMDS (internal metadata service for Azure instances), they got back an error though. They attempted to use a decimal value instead of a regular IP and using a domain that went to the internal IP but both of these returned an error. The next technique they used as a classic: a 301 redirect response to a restricted host. Even this returned a 400. Upon checking out IMDS documentation, they discovered the header Metadata: true has to be used and it cannot contain X-Forwarded-For. Luckily enough, the editor for the request allowed for adding at the metadata header. Additionally, X-Forwarded-For header can be smuggled in via a multiline value with an invalid value. Adding the headers alongside a 301 redirect made the SSRF attack work. With this, they had access to internal instance credentials. From these credentials, they checked various things to see what it had access to. They found a Cosmos DB that the instance had access to - both read and write permissions. However, it was only accessible from a select range of IPs. They needed a URL to access the instance, a master key for the DB and the ability to make an HTTP request from Copilot with the proper headers. Although not explained very well, it appears that the master keys and credentials could be queried based upon their credentials. They could then reuse the SSRF to make a request to the database.
Analysis Summary
# Vulnerability: Server-Side Request Forgery (SSRF) in Microsoft Copilot Studio
## CVE Details
- **CVE ID:** CVE-2024-38206
- **CVSS Score:** Not explicitly listed in text, but classified as **Critical** by Microsoft
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:** Microsoft Copilot Studio
- **Versions:** Cloud-based service (all versions prior to the August 2024 patch)
- **Configurations:** Default configurations of the Copilot Studio editor/plugin development environment that allowed users to configure HTTP requests.
## Vulnerability Description
A Server-Side Request Forgery (SSRF) vulnerability existed in Microsoft Copilot Studio that allowed an attacker to bypass security filters and make arbitrary internal HTTP requests. While the service initially blocked direct internal IP access (e.g., to the Instance Metadata Service - IMDS), researchers bypassed these protections using a **301 redirect** to a restricted host.
To successfully query the Azure IMDS (at `169.254.169.254`), two additional hurdles were overcome:
1. **Header Injection:** The researchers injected the required `Metadata: true` header via the Copilot editor.
2. **X-Forwarded-For Bypass:** IMDS rejects requests containing `X-Forwarded-For`. The researchers suppressed/invalidated this header by smuggling a multiline value into the request, successfully tricking the backend into sending a clean request to the internal metadata endpoint.
## Exploitation
- **Status:** PoC developed and verified by Tenable researchers; reported to Microsoft.
- **Complexity:** Medium (Requires knowledge of SSRF bypasses and header smuggling).
- **Attack Vector:** Network (Web-based interface).
## Impact
- **Confidentiality:** **Critical** (Access to internal instance credentials, managed identity tokens, and Cosmos DB master keys).
- **Integrity:** **Critical** (Read/write access to internal infrastructure databases, specifically Cosmos DB).
- **Availability:** **Medium** (Potential to disrupt shared infrastructure used by multiple tenants).
## Remediation
### Patches
- **Microsoft Response:** Microsoft has applied a backend fix to Copilot Studio. Since this is a SaaS product, no manual user action is required to update the software.
### Workarounds
- No specific workarounds are required for end-users as the fix has been deployed globally by the vendor.
## Detection
- **Indicators of Compromise:** Unusual outbound traffic from Copilot Studio instances to `169.254.169.254` or internal `10.0.x.x` subnets.
- **Detection Methods:** Audit logs for Copilot Studio plugins that involve HTTP requests with 301 redirects to internal IP space or requests containing smuggled/multiline headers.
## References
- **Vendor Advisory:** [https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38206](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38206)
- **Researcher Original Post:** [https://www.tenable.com/blog/ssrfing-the-web-with-the-help-of-copilot-studio](https://www.tenable.com/blog/ssrfing-the-web-with-the-help-of-copilot-studio)