36 lines
No EOL
1.3 KiB
Text
36 lines
No EOL
1.3 KiB
Text
Sources:
|
|
https://bugs.chromium.org/p/project-zero/issues/detail?id=1146
|
|
https://bugs.chromium.org/p/chromium/issues/detail?id=519558
|
|
|
|
VULNERABILITY DETAILS
|
|
From /WebKit/Source/core/dom/ContainerNode.cpp:
|
|
|
|
----------------
|
|
void ContainerNode::parserInsertBefore(PassRefPtrWillBeRawPtr<Node> newChild, Node& nextChild)
|
|
{
|
|
(...)
|
|
while (RefPtrWillBeRawPtr<ContainerNode> parent = newChild->parentNode())
|
|
parent->parserRemoveChild(*newChild);
|
|
|
|
if (document() != newChild->document())
|
|
document().adoptNode(newChild.get(), ASSERT_NO_EXCEPTION);
|
|
|
|
{
|
|
EventDispatchForbiddenScope assertNoEventDispatch;
|
|
ScriptForbiddenScope forbidScript;
|
|
|
|
treeScope().adoptIfNeeded(*newChild);
|
|
insertBeforeCommon(nextChild, *newChild);
|
|
newChild->updateAncestorConnectedSubframeCountForInsertion();
|
|
ChildListMutationScope(*this).childAdded(*newChild);
|
|
}
|
|
|
|
notifyNodeInserted(*newChild, ChildrenChangeSourceParser);
|
|
}
|
|
----------------
|
|
|
|
|parserRemoveChild| can run script, and it can remove |nextChild| from DOM or move the node around. When this happens, the tree will be in an inconsistent state after the |insertBeforeCommon| call, allowing an attacker to bypass the frame restrictions.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42066.zip |