Chrome Universal XSS through bypassing ScopedPageSuspender with closing windows (CVE-2017-5007)

2017-04-21T00:00:00
ID SSV:92996
Type seebug
Reporter Root
Modified 2017-04-21T00:00:00

Description

VULNERABILITY DETAILS

ScopedPageSuspender works by taking pages from Page::ordinaryPages() and marking them as suspended. When the window. close() is called, the following operations are performed:

From /third_party/WebKit/Source/web/ChromeClientImpl.cpp: `` void ChromeClientImpl::closeWindowSoon() { // Make sure this Page can no longer be found by JS. m_webView->page()->willBeClosed();

// Make sure that all loading is stopped. Ensures that JS stops executing! m_webView->mainFrame()->stopLoading();

if (m_webView->client()) m_webView->client()->closeWidgetSoon(); } ``

|m_webView->page()->willBeClosed()| removes the associated page from the ordinaryPages set. Therefore, suspenders instantiated later, for example during |m_webView->mainFrame()->stopLoading()|, won't include the closing page. This allows an attacker to circumvent the All and perform synchronous loads in unexpected circumstances.

VERSION

Chrome 55.0.2883.75 (Stable)
Chrome 55.0.2883.75 (Beta)
Chrome 56.0.2924.14 (Dev)
Chromium 57.0.2943.0 + Pepper Flash (Release build compiled today)

Attachment: exploit.zip