Chrome Universal XSS using Flash message loop (CVE-2016-1631)

VULNERABILITY DETAILS

From /content/renderer/pepper/ppb_flash_message_loop_impl. cc: int32_t PPB_Flash_MessageLoop_Impl::InternalRun( const RunFromHostProxyCallback& callback) { (...) // It is possible that the PPB_Flash_MessageLoop_Impl object has been // destroyed when the nested message loop exits. scoped_refptr<State> state_protector(state_); { base::MessageLoop::ScopedNestableTaskAllower allow( base::MessageLoop::current()); base::MessageLoop::current()->Run(); } (...) }

|PPB_Flash_MessageLoop_Impl::InternalRun| doesn’t initialize a ScopedPageLoadDeferrer before spinning an event loop. As a result, cross-origin documents can be loaded at an arbitrary javascript execution point.

VERSION

Chrome 47.0.2526.80 (Stable)
Chrome 48.0.2564.41 (Beta)
Chrome 49.0.2587.3 (Dev)
Chromium 49.0.2591.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1631.zip