IE9 DoS: Object.defineProperty Crashes the Properties Dialog

This was a simple interaction between Object.defineProperty and IE’s context-menu Properties dialog. Redefining documentElement on an iFrame’s document via a getter, and then asking IE to show the Properties dialog for that iFrame, caused a crash inside the property sheet machinery as it tried to introspect the custom getter.

<iframe name="iFrame" width="600" height="120"></iframe>

<script>
iFrame.document.write('<br /><br /><center>Right-click inside this iFrame and select properties from the context menu.</center>');
iFrame.document.close();
Object.defineProperty(iFrame.document,"documentElement",{get:function(){}});
</script>

After loading the page, right-clicking inside the iFrame and selecting “Properties” triggers the crash. The Properties dialog uses GetTypeInfo to enumerate the document’s properties, which invokes the custom getter via the JScript9 cross-site thunk. The thunk tries to read a vtable pointer at offset +4 from the getter’s context object, which is null. Exploitability was rated PROBABLY_NOT_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 EoP: Arbitrary Code Execution via Internal InsertImage Dialog] :: [UXSS: Cached document.styleSheets and document.selection Survive Redirect] >