Lucene search

K
seebugRootSSV:93029
HistoryApr 24, 2017 - 12:00 a.m.

Chrome Universal XSS using document.adoptNode (CVE-2015-6770)

2017-04-2400:00:00
Root
www.seebug.org
11

0.011 Low

EPSS

Percentile

83.0%

VULNERABILITY DETAILS

From /third_party/WebKit/Source/core/dom/Document.cpp: `` PassRefPtrWillBeRawPtr Document::adoptNode(PassRefPtrWillBeRawPtr source, ExceptionState& exceptionState) { EventQueueScope scope;

switch (source->nodeType()) {

(…) default: (…) if (source->parentNode()) { source->parentNode()->removeChild(source. get(), exceptionState); if (exceptionState. hadException()) return nullptr; } }

this->adoptIfNeeded(*source);

return source;

} ``

This code expects that |removeChild(source. get(), exceptionState)| will either detach the source node or throw an exception if it can’t be done. However, the child can be reattached immediately after removal (through HTMLScriptElement::childrenChanged) if the parent node is a pending script whose type has recently changed to valid. In such case, ContainerNode::removeChild doesn’t throw any exception. Consequently, the adopted node will end up in a wrong tree scope, which may lead to GC crashes and inconsistent frame states.

VERSION

Chrome 45.0.2454.101 (Stable) Chrome 46.0.2490.64 (Beta) Chrome 47.0.2526.5 (Dev) Chromium 48.0.2531.0 (Release build compiled today)

REPRODUCTION CASE

`` ```

Attachment: CVE-2015-6770

0.011 Low

EPSS

Percentile

83.0%