New issue
Advanced search Search tips

Issue 674938 link

Starred by 1 user
Status: Duplicate
Merged: issue 666714
Owner:
awhalley@chromium.org
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

UAF in onbeforeunload via cross process navigation

Reported by wadih.ma...@gmail.com, Dec 16 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1-Open http://localhost/UAF.html
2-click "click here" then "then here" buttons (this step is to bypass the popup blocker)
3-click "OK" in the alert box
4-wait for all localhost pages to close

What is the expected behavior?
No use after free.

What went wrong?
This poc is a variant of the poc discussed in  issue 666714 .
The process hosting http://localhost will trigger a Use After Free (in content::RenderFrameImpl::OnBeforeUnload).
It works in chrome 55.0.2883.87 m and chrome 54.

Please note that  issue 666714  got a security_severity Low because the poc provided needed a lot of user interaction, but these interactions can be much reduced as you can see in this poc.

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0

This poc uses a javascript navigation to http://chrome.google.com/webstore/category/extensions?hl=fr to make a cross process navigation, making user interaction minimal.
UAF-onbeforeunload.zip
2.7 KB Download

Comment 1 by penny...@chromium.org, Dec 21 2016

Owner: awhalley@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by awhalley@chromium.org, Dec 22 2016

Labels: reward-topanel M-56 Security_Severity-Medium Security_Impact-Stable
Status: Fixed (was: Assigned)
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 22 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 4 by wadih.ma...@gmail.com, Dec 22 2016 

To be consistent with other similar bugs (requiring just mouse clicks anywhere on the page from the victim), should't this bug have a security severity High?
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 24 2016

Labels: Merge-Request-56

Comment 6 by dimu@chromium.org, Dec 25 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 28 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 2 2017 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by awhalley@chromium.org, Jan 12 2017

Labels: -reward-topanel reward-0
We tracked the reward for this issue in  bug 666714 .

Comment 10 by awhalley@chromium.org, Jan 13 2017

Labels: -Hotlist-Merge-Approved -Merge-Approved-56
Mergedinto: 666714
Status: Duplicate (was: Fixed)
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 30 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment