Using latest GroupDocs.Conversion.NETFramework 25.11.0
We have identified 2 vulnerabilities in conversion.
Exploitation Steps
Step 1
Using your editor of choice create a file with the following content and save it with a .svg
extension. The location specified in the xlink:href property is the location the svg will try to
load an image from.
Attached payload.svg
Step 2
Now that the SVG payload has been created create a new Word Document (.docx) and drag
the SVG into the document (Do not embed it as an object or it will the trigger). It should look
similar to the below. Save the Word Document and exit.
Step 3
Convert the document from Word to image
Step 4
Observe the attacker-controlled resource is loaded by the RightFax server, wpshmhcg
Step 5
Observe assessors using the tool responder to capture the netntlmv2 hash for the
OPR\SVC_Rightfax account.
Second case:
Step 1
Using your editor of choice create an xhtml file with the following payload.
Attached payload.xhmtl
Step 2
Convert the document from HTML to image
Step 3
Observe the Burp Collaborator link was loaded and rendered in the iframe by the RightFax
Server and was then converted in an image.
Step 4
Observe the request to the Burp Collaborator endpoint exposing the use of the software.