IE10 EoP: history.pushState Redirect to Blob URL then Reload is EXPLOITABLE

I found that pushing a server-redirect URL pointing at blob: into the history stack with history.pushState, then reloading with history.go(0), caused a crash rated EXPLOITABLE in MSHTML!TSmartPointer<IInternetProtocol>::~TSmartPointer<IInternetProtocol>. The reload caused the browser to navigate to the redirect target, which triggered the blob protocol handler with invalid state, resulting in a DEP violation at a heap address.

history.pushState("", "", "redirect.aspx?URL=blob:"); // Set this URL in the history array.
history.go(0); // Reload the page to crash!

The fault occurred at address 0x00314440 — a value on the heap — rated as a software NX / DEP violation. The call originated in MSHTML!CBlobProtocol::Abort after CBlobProtocol::ReportResult when the blob protocol was aborted with a corrupt smart pointer state, and control transferred to a non-executable heap address.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10: Blob Image URLs Cross Sandbox Boundaries via postMessage] :: [EoP: Flash innerHTML Random Crash is PROBABLY_EXPLOITABLE] >