Microsoft 365 PDF Export LFI Vulnerability Allows Access to Sensitive Server Data

A critical Local File Inclusion (LFI) vulnerability was recently discovered in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive server-side data, including configuration files, database credentials, and application source code. 

The vulnerability, reported by security researcher Gianluca Baldi and subsequently patched by Microsoft, earned a $3,000 bounty reward for its significant impact on enterprise security. 

Key Takeaways
1. Local File Inclusion (LFI) flaw in Microsoft 365's Export to PDF feature allowed attackers to access sensitive server-side files.
2. Malicious HTML tags pull server files into the converted PDF.
3. Exposed configs, credentials, and possible cross-tenant data.
4. Microsoft patched the vulnerability after security researcher Gianluca Baldi reported it through their bug bounty program.

This flaw exploited an undocumented behavior in Microsoft Graph APIs that enabled HTML-to-PDF conversion with embedded file inclusion capabilities.

Overview of Local File Inclusion (LFI) vulnerability

Gianluca Bald discovered the vulnerability during a client web application assessment, where a file conversion feature transformed documents into PDF format through Microsoft 365 SharePoint integration. 

The Microsoft Graph APIs officially support PDF conversion from multiple formats, including CSV, DOC, DOCX, ODP, ODS, ODT, POT, POTM, POTX, PPS, PPSX, PPSXM, PPT, PPTM, PPTX, RTF, XLS, and XLSX, through the format HTTP parameter. However, an undocumented behavior allowed HTML-to-PDF conversion, creating an unexpected attack surface. 

This conversion process lacked proper input validation and file path restrictions, enabling path traversal attacks that could access files outside the server’s designated root directory.

The exploitation process involved embedding malicious HTML tags such as ,

Attackers could craft specially designed HTML files containing these tags with file paths pointing to sensitive system files like web.config, win.ini, or other critical configuration files. 

The attack sequence consisted of three straightforward steps: first, uploading a malicious HTML file via the Microsoft Graph API; second, requesting the file conversion to PDF format through the API endpoint; and third, downloading the resulting PDF containing the embedded local file contents. 

This Local File Inclusion vulnerability effectively bypassed standard security controls and file access restrictions.

Mitigations

The security implications of this vulnerability extended beyond simple file disclosure, potentially exposing Microsoft secrets, database connection strings, application source code, and, in multi-tenant environments, cross-tenant data exposure scenarios. 

The vulnerability received an “Important” severity rating from Microsoft Security Response Center (MSRC), reflecting its potential for significant data breaches in enterprise environments. 

Organizations utilizing Microsoft 365’s document conversion features were at risk until Microsoft implemented proper input validation and file path sanitization controls. 

The remediation process involved restricting HTML tag processing during PDF conversion and implementing strict file path validation to prevent directory traversal attacks. 

Microsoft has since patched this vulnerability, but the incident highlights the importance of thorough security testing for undocumented API behaviors and file processing features.

Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now