[2] Cross-Process Page Identity Confusion in didPostMessage
Severity: High | Component: WebKit UIProcess | 1ad0d2a
diff에 드러난 UI-process IPC는 전송자 소유 여부를 확인하지 않은 채 전역에서 WebPageProxyIdentifier를 조회하고 대상 페이지에 user-script 메시지를 전달합니다. 손상된 renderer는 이를 이용해 다른 renderer의 WKScriptMessageHandler에 payload를 주입할 수 있습니다. 이러한 이유로 High severity로 평가됩니다.
WebProcessProxy::didPostMessage()는 전역 WebPageProxy::fromIdentifier()를 통해 WebPageProxyIdentifier를 조회했습니다. 그러나 해당 페이지가 전송 측 WebProcess에 속하는지는 확인하지 않은 채 결과를 처리했습니다. site isolation 환경에서 이 identifier는 process에 독립적인 핸들입니다. 손상된 renderer가 임의 페이지의 identifier를 제공하면, 조작된 postMessage payload가 해당 페이지에서 전송된 것처럼 전달될 수 있습니다.
Source/WebKit/UIProcess/WebProcessProxy.cpp
RefPtr page = WebPageProxy::fromIdentifier(pageID);
if (!page)
return completionHandler(makeUnexpected(String()));
+ MESSAGE_CHECK_COMPLETION(isAssociatedWithPage(pageID), completionHandler(makeUnexpected(String())));
RefPtr controller = WebUserContentControllerProxy::get(identifier);
+ for (Ref remotePage : m_remotePages) {
+ if (remotePage->page() && remotePage->page()->identifier() == pageID)
+ return true;
+ }
+ if (m_pagesPendingClose.contains(pageID))
+ return true;
Patch Details
전역 조회 직후에 MESSAGE_CHECK_COMPLETION(isAssociatedWithPage(pageID), ...)가 추가되었습니다. isAssociatedWithPage는 m_remotePages(site isolation 환경의 cross-origin iframe 프로세스)와 새로 도입된 m_pagesPendingClose counted set을 함께 참조하도록 확장되었습니다. m_pagesPendingClose는 모든 Messages::WebPage::Close 전송을 래핑하는 새 헬퍼 sendPageCloseMessage가 채웁니다. ProvisionalPageProxy, RemotePageProxy, SuspendedPageProxy, WebPageProxy의 호출 지점은 이 헬퍼를 사용하도록 변경되었습니다.
전역 레지스트리로 cross-process 객체 핸들을 조회하는 UI-process IPC 핸들러에서 전송 프로세스 소유 여부 확인 누락.
Background
WebPageProxy는 논리적인 탭을 나타내는 UI-process 객체입니다. site isolation 환경에서는 하나의 페이지에 여러 WebContent process가 연결될 수 있습니다. main-frame process 외에도 cross-origin iframe을 위한 per-site RemotePageProxy가 함께 붙습니다. WebProcessProxy는 각 renderer가 호스팅하는 페이지를 m_pageMap, m_provisionalPages, m_remotePages, m_suspendedPages를 통해 추적합니다. WebPageProxyIdentifier는 요청자에 상관없이 WebPageProxy::fromIdentifier()로 조회되는 전역 고유 핸들입니다. didPostMessage는 주입된 user script에서 window.webkit.messageHandlers.<name>.postMessage(...)를 호출할 때 UI-process가 처리하는 핸들러입니다. MESSAGE_CHECK는 실패 시 메시지를 중단하고 전송 측 WebContent process를 종료합니다.
Analysis
이 핸들러는 renderer가 제공한 WebPageProxyIdentifier를 전역에서 조회했습니다. 소유권 확인은 수행하지 않았고, 조회된 페이지의 WebUserContentControllerProxy를 통해 payload를 그대로 전달했습니다. 손상된 WebContent process는 피해 페이지의 identifier와 직렬화된 JS payload를 담은 WebProcessProxy::DidPostMessage를 위조할 수 있습니다. UI process는 이를 해당 페이지에서 발생한 것처럼 처리하게 됩니다.
Aa Aaa Aaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaa a Aaa Aa Aaaaa Aaaaa Aaaaa Aa Aaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaaaaaa Aaaa Aaaa Aaaa Aaaaaaaa Aaaaa Aaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aa Aaaaaaaa a Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aa Aaa Aaaa Aaa Aaaaaa Aaaaaaa Aaa Aa Aaaa
Aaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaaaa Aaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaa Aaaaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaa a Aaaaaaaaaaa Aaaa Aaaa Aa Aaaaaaa a Aaaaaaaa Aa Aaaaaaaaaa Aaaa Aaaa Aa Aaa Aa Aa Aa Aa Aa Aaa a Aaaaa
a Aaaa Aa Aaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaa a Aaaaaaaaaaa Aaa Aaaaaaa a Aaa Aaa Aaaaaaaa Aaaaaa Aaaaaa Aaaaa Aa a Aaa Aaaaaa
🔒Explores how a cross-process IPC identifier can be weaponized against the UI process's per-renderer ownership boundaries, and what the realistic primitive looks like for a compromised WebContent process under site isolation.
더 확인하려면 구독해 주세요
Audit directions
a Aaaa Aaaaaa Aa Aaaaaaaaaaaaa Aaa Aaaa Aaaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aa Aaa Aa Aaaa Aaaaaa a Aaaaa Aaa Aaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaa Aa Aaaa Aaa Aaaaa
a Aaaaa Aa Aaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaa Aa Aaa Aaaaaa Aaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaaa Aaa Aaaaaaa Aa Aaa Aaa Aaaa Aaaaa
a Aaaaaaaaaaa a Aaaaaaaaa Aaaaaaaa Aa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aa Aaaaaaa Aaaaa Aa Aaaaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaa Aaa a Aaa Aaa Aaaa Aaa Aaaaaaaaa Aaaaa Aaa a Aa Aaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aa Aaaaaa a Aaaaaaaaaaa Aaa Aaaaaaaaa Aaaa Aaaa a Aa Aaa Aaaaaaaa Aaaaaa Aa Aaa Aa Aaaaa a Aaaa Aa Aaaaaaaaaaa Aaa a Aaa Aaaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaa Aaaa Aa Aaaaaaa
🔒Four reusable audit patterns identified for confused-deputy bugs in UI-process IPC handlers, including specific helper predicates and lifecycle windows to investigate.
더 확인하려면 구독해 주세요