CVE-2015-3784 in Mac OS X
Summary
by MITRE
Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/02/2025
The vulnerability identified as CVE-2015-3784 represents a critical XML External Entity (XXE) flaw affecting Apple's Office Viewer implementations across iOS and macOS platforms. This security weakness resides in the processing of XML documents within Apple's native office applications, specifically impacting versions prior to iOS 8.4.1 and OS X 10.10.5. The vulnerability stems from insufficient input validation and sanitization mechanisms when handling XML content, creating a pathway for malicious actors to exploit the system's XML parser. The flaw operates by allowing remote attackers to craft specially formatted XML documents containing external entity declarations that reference local files on the target system. When the vulnerable Office Viewer processes these documents, it automatically resolves the entity references, inadvertently exposing sensitive file contents to unauthorized parties. This type of vulnerability falls under the Common Weakness Enumeration category CWE-611, which specifically addresses Improper Restriction of XML External Entity Reference, making it a well-documented and serious security concern in web and application security contexts.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to potentially access sensitive data that would normally be restricted from external access. Attackers can leverage this XXE vulnerability to read arbitrary files from the system, including configuration files, user data, and potentially system-level information that could aid in further exploitation attempts. The attack vector is particularly concerning because it requires minimal user interaction beyond opening a maliciously crafted document, making it an effective method for initial compromise in targeted attacks. The vulnerability's presence in Apple's Office Viewer means that even users who trust the applications they open could unknowingly expose sensitive information simply by viewing documents from untrusted sources. This weakness also aligns with ATT&CK technique T1566.001, which describes the use of spearphishing attachments as an initial access method, where the malicious XML document serves as the payload to establish the attack vector.
The technical exploitation of this vulnerability demonstrates how XML parsers can be manipulated through carefully constructed entity declarations that reference local file systems. When the vulnerable parser encounters an external entity declaration within an XML document, it attempts to resolve the entity reference by accessing the specified file path, effectively bypassing normal file access controls. This behavior occurs even when the XML document is processed by legitimate office applications, creating a dangerous intersection between application functionality and security risk. The attack scenario typically involves an attacker crafting an XML document that contains an external entity declaration pointing to sensitive files such as system configuration data, user credentials, or application-specific information. The Office Viewer's XML processing capabilities are not properly sandboxed or restricted, allowing the parser to access files that should remain isolated from external processing. This vulnerability also represents a failure in the principle of least privilege, where the XML parser has unnecessary access to the local file system that could be restricted to prevent such unauthorized access patterns. Organizations and individuals must recognize that this vulnerability affects not just the immediate file system access but also represents a potential gateway for more sophisticated attacks that could leverage the exposed information for privilege escalation or lateral movement within a network environment.