The file upload mainly focuses on filtering. The up_img() function is used to process the submitted content, and the array records the type to be verified. Therefore, we need to understand the up_img() function in detail next.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
As can be seen from the allocation, release, and caching process of the UAF object, if the relevant function is called to release the RenderWidgetHostViewAura object when there are still redraw tasks in the queue, the cached RenderWidgetHostViewAura pointer will be dereferenced when the Refresh function is called next time. However, the object has already been released, so a UAF will be triggered.
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
After the MediaList is created in the ProcessQueuedAccessRequest function, the show function is called to display the authorization pop-up window, as shown below:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
After the POC calls the windows.close() function, the tab is closed, and a series of objects are released, including the previously allocated RenderFrameHostManager object. The message to close the window, after being distributed by the relevant Mojo components, calls the content::WebContentsImpl::Close function, as shown below:
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.
After the browser receives the request, a RenderView is created by content::RenderFrameHostManager::InitRenderView, and a RenderWidget is created within the RenderView as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
Due to the fact that the main functions of Chrome are implemented in the chrome.dll file, and this DLL has not been loaded at this time, use the sxe ld chrome command to tell Windbg to interrupt after the chrome.dll file is loaded. Enter g to run the program and wait for the program to be interrupted. Use the lm command to confirm whether the chrome.dll file has been loaded:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
Chromium issue 1187403 describes a UAF vulnerability. The PoC is as follows:
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
It is necessary to set secure_file_priv to empty, i.e., secure_file_priv = ''; or secure_file_private should be the disk path where the general_log_file is stored. However, general_log_file can be modified directly through SQL statements. It must be changed to a file with a PHP extension, otherwise the log cannot be parsed:
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
By combining the clickjacking vulnerability with the reflected XSS vulnerability, it can be transformed into a stored XSS vulnerability. The most important feature of the reflected XSS vulnerability is that it is difficult to exploit. Therefore, attackers can convert the reflected XSS vulnerability into a stored XSS vulnerability through the clickjacking vulnerability. As long as the user clicks to trigger this vulnerability, they can execute any JavaScript code in the user's browser, which is extremely dangerous. Here's an example:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists: