Chrome Universal XSS by polluting private scripts with named properties (CVE-2017-5008)

VULNERABILITY DETAILS

When a private script method is invoked, a ScriptForbiddenScope::AllowUserAgentScript scope is set up to allow running the internal script. It is possible to exploit this scope to execute user code here:

static v8::Local<v8::Value> compileAndRunPrivateScript(ScriptState* scriptState, String scriptClassName, const char* source, size_t size) { (...) v8::Local<v8::Context> context = scriptState->context(); v8::Local<v8::Object> global = context->Global(); v8::Local<v8::Value> privateScriptController = global->Get(context, v8String(isolate, "privateScriptController")) . ToLocalChecked(); RELEASE_ASSERT(privateScriptController->IsUndefined() || privateScriptController->IsObject()); if (privateScriptController->IsObject()) { v8::Local<v8::Object> privateScriptControllerObject = privateScriptController. As<v8::Object>(); v8::Local<v8::Value> importFunctionValue = privateScriptControllerObject->Get(context, v8String(isolate, "import")) . ToLocalChecked(); (...) }

Even though the context belongs to a private script isolated world, |global->Get(context, v8String(isolate, “privateScriptController”))| can return a DOM node if there’s one named “privateScriptController”. If the node is a plugin element then |privateScriptControllerObject->Get(context, v8String(isolate, “import”))| will run an interceptor. This allows an attacker to run script in the middle of the node adoption and corrupt the DOM tree.

VERSION

Chrome 54.0.2840.99 (Stable)
Chrome 55.0.2883.59 (Beta)
Chrome 56.0.2924.3 (Dev)
Chromium 57.0.2932.0 (Release build compiled today)

Annex: exploit.zip