Issue metadata
Sign in to add a comment
|
UaF outside the sandbox in RenderFrameDevToolsAgentHost::RevokePolicy
Reported by
wadih.ma...@gmail.com,
Sep 30 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce the problem: 1- http://localhost/poc/run.html 2- Social engineer the victim into pressing F12 (opens devtools) What is the expected behavior? No Browser crash What went wrong? During a cross process navigation, if devtools is opened (or already opened), RenderFrameDevToolsAgentHost::RevokePolicy can be forced to manipulate a freed object ( RenderProcessHost?) in the browser process. Did this work before? N/A Chrome version: 61.0.3163.100 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Also works on chrome 63.0.3227.0 (Official Build) canary (64 bits)
,
Oct 2 2017
,
Oct 2 2017
Can i be in CC in issue 742955? thanks.
,
Oct 3 2017
Hi, i need to follow issue 742955 so that i know when it's patched. It will prevent me from wasting my research time on duplicate / soon to be patched bugs related to the devtools.
,
Jan 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Sep 30 2017Components: Platform>DevTools
Labels: -Pri-2 Security_Impact-Stable M-61 Security_Severity-High Pri-1
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)