MS hcp-URL Cross Site Scripting

June 10, 2010

Just one day after the busy Microsoft Patch Day in June with ten security bulletins fixing 34 vulnerabilities, a new Cross Site Script (XSS) issue is published disclosed by Tavis Ormandy. It can potentially lead to shellcode execution within the logged in user's security context.

Microsoft Windows Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp", a typical example is provided in the Windows XP Command Line Reference as bellow. Please refer to for details.

helpctr [/url [URL]] [/mode [URL]] [/hidden] [/fromstarthelp]

Help and Support Center application is by default installed in c:windowspchealthhelpctrbinaries with filename helpctr.exe in Windows XP SP2 and after. It can be passed by web browser with a HCP URL through its command line argument "/fromhcp". This flag switches the help centre into a restricted mode, which will only permit a white-listed set of help documents and parameters.

The application is using a function "MPC::HTML::UrlUnescapeW()" to normalize the URL, which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters. However, the return code from MPC::HexToNum() is not well sanitized as required, which allows the unexpected garbage is returned to the standard string class variable. This error could allow an attacker evade the white-list detection mentioned before. On top of that, the hacker may take use of some web accessible documents to call the vulnerable function, and execute the encoded shellcode. An example of the document could be:


The SonicWALL UTM team has researched this vulnerability and created IPS signature to detect/prevent attacks exploiting this issue.

  • 4177 MS hcp-URL sysinfomain.htm XSS

This vulnerability is not referred by Common Vulnerabilities and Exposures (CVE) yet.