LFI Vulnerability in Microsoft 365 PDF Export Lets Attackers Access Confidential Files

A security researcher has disclosed a significant vulnerability in Microsoft 365’s file conversion functionality that allowed attackers to access local system files through PDF conversion processes.

The flaw, which has since been patched by Microsoft, enabled Local File Inclusion (LFI) attacks and earned the researcher a $3,000 bounty from Microsoft’s Security Response Center (MSRC) after a four-month investigation period.

Vulnerability Discovery and Impact

The security issue was initially discovered during a routine client assessment when the researcher encountered a web application feature that converted documents to PDF format and published them on SharePoint.

While analyzing this functionality, the researcher noticed that the system could read local system files during HTML-to-PDF conversion processes, initially believing it was a client-side vulnerability.

However, during the final presentation with the client, the project lead revealed that their application was merely a wrapper for Microsoft’s official APIs, suggesting the vulnerability existed within Microsoft’s infrastructure itself.

This revelation prompted the researcher to investigate Microsoft 365’s SharePoint instance directly, leading to the discovery of the broader security flaw.

The vulnerability specifically affected Microsoft Graph APIs, which allowed users to download uploaded files in various formats.

According to Microsoft’s official documentation, the system supported PDF conversion for multiple file types, including CSV, DOC, DOCX, and various Microsoft Office formats.

However, the researcher discovered an undocumented behavior that permitted HTML-to-PDF conversion, creating an unexpected attack vector.

Technical Details and Exploitation

The exploitation method centered on embedding specific HTML tags—namely <embed>, <object>, and <iframe>—into HTML content during the conversion process.

These tags could force the inclusion of local files from the server’s file system into the resulting PDF, including files located outside the server’s root directory.

This technique effectively enabled attackers to access sensitive server-side data, including Microsoft secrets, database credentials, and potentially application source code.

The researcher successfully demonstrated the vulnerability by accessing common system files such as web.config, win.ini, and other configuration files.

The exploitation process involved three straightforward steps: uploading a malicious HTML file via the Graph API, requesting the file in PDF format through the conversion service, and downloading the resulting PDF containing the included local resources.

The researcher noted that in certain edge cases, this vulnerability could potentially lead to cross-tenant data exposure in multi-tenant environments if attackers could identify paths to temporary files.

Microsoft has since remediated the vulnerability and classified it as “Important” severity.

The $3,000 bounty reflects the significant potential impact of this security flaw, which could have compromised sensitive data across Microsoft’s cloud infrastructure.

This discovery highlights the importance of thorough security testing for cloud-based file conversion services and the value of responsible disclosure practices in identifying and addressing critical vulnerabilities.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates