November 05, 2008

Why use expression() when there's HTC


HTML Components (HTC) have first time found their way into implementation with Internet Explorer 5. Since then HTC has been a topic without a lot of light being shed on - almost similar to HTA. Meanwhile this feature has been almost forgotten - which is kind of a shame since this is the second way for IE browsers to execute JavaScript and other code being triggered and included by style sheets. We mentioned before that expression() will have a hard time on IE8 - so why not working with the alternative.

HTC files have to be located on the same domain the site using this feature is running from. That might sound like massively narrowing the attack window but almost similar to the earlier mentioned XBL issue it isn't. HTC files can be outfitted with an almost infinite amount of padding. As long as there is some HTC code inside the included file the browser meaning IE will accept and parse it and execute the nested code.

Some code

Let's have a look at a brief example. There's an inclusion of a HTC file with an almost arbitrary file name suffix - thanks to Apache again.

    body {
        behavior: url(;
<h1>CLICK ME!</h1>


The HTC file itself is actually a valid GIF file that is being processed without any problems by imaging tools, browsers and of course the usual method checking for the right MIME type, image dimensions et cetera. Here's the GIF.

GIF89ad�d����������!�Y,����d�d��s��������ڋ�޼���H�扦�ʶ���L������� �Ģ�L*�̦� �J�Ԫ��j�ܮ�����N���� ����������(8HXhx��������iX�

Above we see what the file looks like in a standard text editor. To reveal the payload the file has to be opened in a hex editor. It's also possible to choose almost random file types like archives, other image types, MP3s, videos etc.

Decoded the output will look like this

<PUBLIC:ATTACH EVENT="onclick" ONEVENT="alert(1)" />


Understanding and creating HTC files is easy - and it's even more easy to hide them in arbitrary file containers and manage to get those files uploaded to the targeted web server.

If Microsoft depends on this feature or fears breaking the web by removal there should be at least some validation that makes sure that a HTC is really a HTC - and nothing else being wrapped around the payload. Applications that provide uploads of images or whatever file types should make sure that the content of the uploaded files is being checked for suspicious patterns and blocked in case of a finding.

No comments:

Post a Comment