Chrome Universal XSS via ContainerNode::parserInsertBefore (CVE-2015-6755)

VULNERABILITY DETAILS

From /WebKit/Source/core/dom/ContainerNode.cpp:

`` void ContainerNode::parserInsertBefore(PassRefPtrWillBeRawPtr newChild, Node& nextChild) { (…) while (RefPtrWillBeRawPtr parent = newChild->parentNode()) parent->parserRemoveChild(*newChild);

if (document() != newChild->document())
 document(). adoptNode(newChild. get(), ASSERT_NO_EXCEPTION);

{
 EventDispatchForbiddenScope assertNoEventDispatch;
 ScriptForbiddenScope forbidScript;

treeScope(). adoptIfNeeded(*newChild);
 insertBeforeCommon(nextChild, *newChild);
newChild->updateAncestorConnectedSubframeCountforinsertion();
ChildListMutationScope(*this). childAdded(*newChild);
}

notifyNodeInserted(*newChild, ChildrenChangeSourceParser);

} ``

|parserRemoveChild| can run script, and it can remove |nextChild| from the DOM or move the node around. When this happens, the tree will be in an inconsistent state after the |insertBeforeCommon| call, allowing an attacker to bypass the frame restrictions.

VERSION

Chrome 44.0.2403.130 (Stable)
Chrome 45.0.2454.26 (Beta)
Chrome 46.0.2471.2 (Dev)
Chromium 46.0.2480.0 (Release build compiled today)

Attachment: CVE-2015-6755