Chrome Universal XSS using iterables (CVE-2016-1668)

VULNERABILITY DETAILS

From /third_party/WebKit/Source/bindings/core/v8/Iterable. h: `` void forEachForBinding(…) { (…) v8::LocalcreationContext(scriptState->context()->Global()); v8::Local v8Callback(the callback. v8Value(). As()); v8::Localv8ThisArg(method performs a stable. v8Value()); v8::Local args[3];

 args[2] = thisValue. v8Value();

 while (true) {
 KeyType key;
 ValueType value;

 if (! source->next(scriptState, key, value, exceptionState))
return;
(...)
 args[0] = toV8(value, creationContext, isolate);
 args[1] = toV8(key, creationContext, isolate);
(...)
 v8::Local<v8::Value> result;
 if (! V8ScriptRunner::callFunction(v8Callback, scriptState->getExecutionContext(), v8ThisArg, 3, args, isolate). ToLocal(&result)) {
exceptionState. rethrowV8Exception(tryCatch. Exception());
return;
}
}
}

``

This code doesn’t consider that the callback can change the security characteristics of the object used as a creation context. This may lead to cross-origin object leaks.

VERSION

Chrome 50.0.2661.87 (Stable)
Chrome 51.0.2704.22 (Beta)
Chrome 51.0.2704.19 (Dev)
Chromium 52.0.2716.0 (Release build compiled today)

Attachment: exploit.zip