Issue 887117 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 21
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: setAttributeNodeNS exploit in chrome webbrowser

Reported by junoy...@gmail.com, Sep 19

Issue description

#VULNERABILITY DETAILS
It seems that chrome browser also has "setAttributeNodeNS()" bug which was found/patched in webkit JSC engine a years ago.

https://github.com/Cryptogenic/Exploit-Writeups/blob/master/WebKit/setAttributeNodeNS%20UAF%20Write-up.md


#VERSION
Chrome Version: 68.0.3440.106 + stable
Operating System: Windows 10 Home 1803, 17134.285

#REPRODUCTION CASE
After loading html poc code in the following link, chrome browser displayed "alert()" with "[object HTMLIFrameElement]" string. So, javascript engine seems to think that "ownerElement" is "iframe".

https://github.com/Cryptogenic/Exploit-Writeups/blob/master/WebKit/setAttributeNodeNS%20UAF%20Write-up.md

Comment 1 by mbarbe...@chromium.org, Sep 21

Status: WontFix (was: Unconfirmed)

Thanks for the report! This doesn't appear to lead to a use-after-free in blink (which has diverged quite a bit from WebKit over time). It is a bit interesting that the behavior is different from other browsers, but since the object hasn't been freed there isn't much to worry about from the security side of things.

Project Member

Comment 2 by sheriffbot@chromium.org, Dec 29

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 887117 link

Issue metadata

Security: setAttributeNodeNS exploit in chrome webbrowser

Issue description

Comment 1 by mbarbe...@chromium.org, Sep 21

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Dec 29

Comment 2 Deleted

Sign in to add a comment