A important Native File Inclusion (LFI) vulnerability was lately found in Microsoft 365’s Export to PDF performance, probably permitting attackers to entry delicate server-side knowledge, together with configuration information, database credentials, and software supply code.
The vulnerability, reported by safety researcher Gianluca Baldi and subsequently patched by Microsoft, earned a $3,000 bounty reward for its vital impression on enterprise safety.
Key Takeaways1. Native File Inclusion (LFI) flaw in Microsoft 365’s Export to PDF characteristic allowed attackers to entry delicate server-side information.2. Malicious HTML tags pull server information into the transformed PDF.3. Uncovered configs, credentials, and attainable cross-tenant knowledge.4. Microsoft patched the vulnerability after safety researcher Gianluca Baldi reported it by way of their bug bounty program.
This flaw exploited an undocumented habits in Microsoft Graph APIs that enabled HTML-to-PDF conversion with embedded file inclusion capabilities.
Overview of Native File Inclusion (LFI) vulnerability
Gianluca Bald found the vulnerability throughout a consumer net software evaluation, the place a file conversion characteristic remodeled paperwork into PDF format by way of Microsoft 365 SharePoint integration.
The Microsoft Graph APIs formally help PDF conversion from a number of codecs, together with CSV, DOC, DOCX, ODP, ODS, ODT, POT, POTM, POTX, PPS, PPSX, PPSXM, PPT, PPTM, PPTX, RTF, XLS, and XLSX, by way of the format HTTP parameter. Nevertheless, an undocumented habits allowed HTML-to-PDF conversion, creating an sudden assault floor.
This conversion course of lacked correct enter validation and file path restrictions, enabling path traversal assaults that might entry information outdoors the server’s designated root listing.
The exploitation course of concerned embedding malicious HTML tags comparable to ,
Malicious HTML file
Attackers might craft specifically designed HTML information containing these tags with file paths pointing to delicate system information like net.config, win.ini, or different important configuration information.
The assault sequence consisted of three easy steps: first, importing a malicious HTML file through the Microsoft Graph API; second, requesting the file conversion to PDF format by way of the API endpoint; and third, downloading the ensuing PDF containing the embedded native file contents.
Request the file in PDF format
This Native File Inclusion vulnerability successfully bypassed commonplace safety controls and file entry restrictions.
Mitigations
The safety implications of this vulnerability prolonged past easy file disclosure, probably exposing Microsoft secrets and techniques, database connection strings, software supply code, and, in multi-tenant environments, cross-tenant knowledge publicity situations.
The vulnerability obtained an “Necessary” severity ranking from Microsoft Safety Response Middle (MSRC), reflecting its potential for vital knowledge breaches in enterprise environments.
Organizations using Microsoft 365’s doc conversion options have been in danger till Microsoft carried out correct enter validation and file path sanitization controls.
The remediation course of concerned limiting HTML tag processing throughout PDF conversion and implementing strict file path validation to forestall listing traversal assaults.
Microsoft has since patched this vulnerability, however the incident highlights the significance of thorough safety testing for undocumented API behaviors and file processing options.
Suppose like an Attacker, Mastering Endpoint Safety With Marcus Hutchins – Register Now
