New Microsoft 365 Vulnerability – LFI Flaw Allows Attackers to Extract Sensitive Server Data via PDF Export

A security researcher has disclosed a significant Local File Inclusion (LFI) vulnerability in Microsoft Graph APIs that allowed attackers to extract sensitive server-side files through the platform’s document conversion feature.

The flaw, which Microsoft has since patched, earned the researcher a $3,000 bounty through the Microsoft Security Response Center (MSRC) and was classified with “Important” severity.

The vulnerability was initially discovered during a routine security assessment of a client’s web application that utilized Microsoft’s document conversion capabilities.

The researcher found that while the official documentation supported converting various Microsoft Office formats to PDF, an undocumented behavior also enabled HTML-to-PDF conversion through the Microsoft Graph APIs.

Technical Exploitation Details

The vulnerability exploited the file conversion process by embedding malicious HTML tags into documents during the conversion process.

By incorporating specific HTML elements, namely <embed>, <object>, and <iframe> tags, attackers could force the PDF conversion engine to include local files from the server’s file system in the resulting document.

This technique bypassed standard security restrictions, allowing access to files located outside the server’s root directory.

The attack vector was particularly concerning because it could potentially expose critical server-side data, including Microsoft secrets, database credentials, and application source code.

During testing, the researcher successfully accessed standard system files, including web.config, win.ini, and other sensitive configuration files.

The vulnerability also raised concerns about potential cross-tenant data exposure in multi-tenant environments, where attackers might access temporary files containing data from other organizations.

Simple Three-Step Attack Process

The exploitation process was remarkably straightforward, requiring only three steps. First, attackers would upload a malicious HTML file containing the embedded tags through the Graph API.

Second, they would request that the file be converted to PDF format using the HTTP format parameter. Finally, the converted PDF containing the extracted local files could be downloaded using the URL provided in the server response.

The vulnerability highlights the risks associated with undocumented API behaviors and the importance of comprehensive security testing for file processing functions.

Microsoft has since remediated the issue, preventing further exploitation of this attack vector.

The discovery underscores the value of security research and responsible disclosure practices, as the vulnerability was reported through proper channels and addressed before widespread exploitation could occur.

This incident serves as a reminder that even well-established cloud platforms can harbor unexpected security flaws, particularly in complex file processing systems that handle multiple formats and conversion operations.