CWE-94 Improper Control of Generation of Code (‘Code Injection’)
“The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.”
We started by attempting to trick Copilot into accessing a known SVG file,
nest10.svg, stored in SharePoint. Direct folder path
referencing and URL sharing failed. Inclusion techniques did not bypass
restrictions either.
Next, we investigated how Copilot Designer renders images. Discoveries
revealed that while direct <img> tags didn't work
initially, gradual prompt injection using LLM jailbreaks like Crescendo
allowed us to bypass some protections.
The strategy involved framing Copilot as a frontend helper and progressively injecting Angular code snippets, eventually transitioning to raw HTML. This primed Copilot to render HTML, including image tags.
Once Copilot began rendering HTML code:
<img src="..."> tag referencing the
SharePoint file.
This demonstrates that Copilot could be coerced into displaying internal image resources, leading to confidentiality breaches via HTML injection.
I would like to thank Joe from MSRC for assisting me throughout vulnerability disclosure process, it was a fantastic learning experience and they were responsive to any queries and doubts I had along the way.