Issue metadata
Sign in to add a comment
|
UAF in onbeforeunload via cross process navigation
Reported by
wadih.ma...@gmail.com,
Dec 16 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1-Open http://localhost/UAF.html 2-click "click here" then "then here" buttons (this step is to bypass the popup blocker) 3-click "OK" in the alert box 4-wait for all localhost pages to close What is the expected behavior? No use after free. What went wrong? This poc is a variant of the poc discussed in issue 666714 . The process hosting http://localhost will trigger a Use After Free (in content::RenderFrameImpl::OnBeforeUnload). It works in chrome 55.0.2883.87 m and chrome 54. Please note that issue 666714 got a security_severity Low because the poc provided needed a lot of user interaction, but these interactions can be much reduced as you can see in this poc. Did this work before? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0 This poc uses a javascript navigation to http://chrome.google.com/webstore/category/extensions?hl=fr to make a cross process navigation, making user interaction minimal.
,
Dec 22 2016
,
Dec 22 2016
,
Dec 22 2016
To be consistent with other similar bugs (requiring just mouse clicks anywhere on the page from the victim), should't this bug have a security severity High?
,
Dec 24 2016
,
Dec 25 2016
Your change meets the bar and is auto-approved for M56 (branch: 2924)
,
Dec 28 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 2 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 12 2017
,
Jan 13 2017
,
Mar 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by penny...@chromium.org
, Dec 21 2016Status: Assigned (was: Unconfirmed)