Chrome Universal XSS via persistence of subframes (CVE-2015-6768)

VULNERABILITY DETAILS

From /third_party/WebKit/Source/core/dom/Document.cpp: `` bool FrameLoader::prepareForCommit() { PluginScriptForbiddenScope forbidPluginDestructorScripting; RefPtrWillBeRawPtr pdl = m_provisionalDocumentLoader; (…) if (m_documentLoader) { client()->dispatchWillClose(); dispatchUnloadEvent(); } m_frame->detachChildren(); // The previous calls to dispatchUnloadEvent() and detachChildren() can // execute arbitrary script via things like unload events. If the executed // script intiates a new load or causes the current frame to be detached, // we need to abandon the current load. if (pdl != m_provisionalDocumentLoader) return false; (…) if (m_frame->document()) m_frame->document()->detach(); m_documentLoader = m_provisionalDocumentLoader. release(); m_frame->updateFrameSecurityOrigin();

return true;

} ``

This logic depends on the assumption that dispatching the unload event will advance the navigated document’s |LoadEventProgress| state to UnloadEventHandled, such that creation of subframes will be suppressed. The frame’s document may change through synchronous loads, though. Normally, this is okay because the load will detach the provisional loader from the frame, and the |(pdl != m_provisionalDocumentLoader)| check will catch this. However, if the replacement occurs through loading a javascript: URI during a page dismissal event, which suppresses detaching loaders, the provisional loader will remain attached. As a result, an attacker will be able to attach subframes that will persist in the frame tree of a cross-origin document.

VERSION

Chrome 46.0.2490.86 (Stable) Chrome 47.0.2526.58 (Beta) Chrome 48.0.2560.0 (Dev) Chromium 49.0.2566.0 (Release build compiled today)

Attachment: CVE-2015-6768