One GET Parameter, Two Endpoints → ,000 Bounty (SSRF in Microsoft Office Online)

By /

Listen to this Post

Featured Image
Microsoft Office Online had a critical SSRF (Server-Side Request Forgery) vulnerability affecting Word, Excel, PowerPoint, and Visio. The issue stemmed from two endpoints:

1. `skydriveuploadhandler.ashx`

2. `sharepointsaveashandler.ashx`

Both endpoints processed a hidden parameter `furl` (file URL), allowing attackers to force the server to fetch arbitrary URLs and save the responses directly to OneDrive or SharePoint.

🔍 The Vulnerability Breakdown

Variant 1 – `skydriveuploadhandler.ashx`

  • Impact: All Office apps (Word, Excel, Visio, PowerPoint).
  • Exploit: No URL validation—allowed fetching internal endpoints like:
    – `http://169.254.169.254/metadata/v1/instanceinfo` (Azure metadata)
    – `http://localhost/`
  • Bounty: $3,000 (Fixed by MSRC).

Variant 2 – `sharepointsaveashandler.ashx`

  • Restrictions: Blocked HTTP and internal IPs, only allowed HTTPS.
  • Bypass: Used an HTTPS server that redirected to internal HTTP endpoints.
  • Bounty: $5,000 (Total: $8,000).

☁️ Impact Summary

  • Internal Data Exposure: Fetch Azure metadata, internal services.
  • File Persistence: Responses saved to OneDrive/SharePoint.
  • No Content Validation: Raw JSON/HTML saved as .docx.

You Should Know: SSRF Exploitation & Defense

Exploiting SSRF (Testing Locally)

 Set up a local HTTP server (Python)
python3 -m http.server 8080

Test SSRF with curl (simulating vulnerable endpoint)
curl "http://vulnerable-site.com/skydriveuploadhandler.ashx?furl=http://localhost:8080/secret.txt"

Detecting SSRF Vulnerabilities

 Use Burp Suite or OWASP ZAP to intercept requests
 Look for URL fetching parameters (e.g., furl, url, endpoint)

Check for internal IP access (Linux)
curl -v "http://target.com/api?url=http://169.254.169.254/latest/meta-data/"

Mitigation Techniques

 Block internal IPs in Nginx
location / {
deny 10.0.0.0/8;
deny 172.16.0.0/12;
deny 192.168.0.0/16;
deny 169.254.0.0/16;
}

Use AWS Metadata Service v2 (IMDSv2) to restrict access
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

Windows SSRF Protection (PowerShell)

 Restrict outbound HTTP requests in Windows Firewall
New-NetFirewallRule -DisplayName "Block Internal SSRF" -Direction Outbound -LocalPort Any -RemoteAddress 169.254.0.0/16,10.0.0.0/8 -Action Block

What Undercode Say

SSRF remains a critical threat in cloud environments. Microsoft’s quick patch and bounty payout highlight its severity. Key takeaways:
– Always validate user-supplied URLs in API endpoints.
– Use allowlists instead of blocklists for domain restrictions.
– Monitor outbound requests from servers to detect exploitation.

Expected Output:

A secure system should log and block unauthorized internal requests. Test with: 

 Log all outbound requests (Linux)
sudo tcpdump -i eth0 'dst net 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16' -w ssrf_attempts.pcap

Prediction: SSRF attacks will evolve with cloud-native apps, requiring stricter zero-trust policies.

References:

Reported By: Guy H087 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: