A while back, I was working on some offline HTML files using Microsoft’s Office Word for some side project. I simply created an empty file in Word, saved it as ‘file.HTM’, and dumped some content inside (text and a few images).
I quickly noticed that along with ‘file.HTM’, a new folder was created called ‘file_files’, which – unsurprisingly – contained some resources for ‘file.HTM’ (for example the images that I’d put inside). A few minutes later I was done playing with ‘file.HTM’ and decided to delete it. This is when things started turning weird: while I only deleted ‘file_file.HTM’, the ‘file_files’ folder was also deleted. My initial thought was that I must have marked the folder for deletion without paying attention, but when I restored the ‘file.HTM’ file from the trash bin, I found that ‘file_files’ was also restored. Strange indeed! The behavior persisted over the ‘COPY’ function- > moving the HTML file moved the folder too. Renaming the HTML file resulted in a warning:
What was going on here?
Windows connected files
It turns out that Microsoft introduced a concept known as ‘Connected-files’ to specifically handle HTML files and their resources, apparently as early as in Windows Vista. When an HTML file exists in some path, Windows will automatically search for folders (under the same path) with certain ‘special’ names (such as ‘filename_files’). If it finds such folders, they will become linked to the file. The full list of ‘special names’ can be found here.
An important thing to note is that the Folder & File don’t actually have to be really connected in terms of code, i.e. the folder doesn’t need to hold resources that are addressed in the HTML file. For that matter, the HTML file can be completely empty and the folder can contain nothing but exe files. Only the naming convention ties the folder and file together, regardless of the contents.
To put it simply, if you have an HTML file called ‘myFile.HTML’ in some path, you can create a folder called ‘myFile_files’ in the same path and the two will become connected. Alternatively, if a folder named ‘My_files’ exists in some path, you can create an HTML file called ‘My.html’ in the same path, and again the two will become connected. Copying/deleting the file/folder will cause the connected party to be copied/deleted.
Cool (stupid?) feature! How can we hack it?
So, can we abuse this unknown behavior for some mischief? It requires some very specific situations, but yes, yes we can!
Let’s say a user called ‘weakuser’ has ‘write’ access to a shared folder used to host public files as well as private folders. Let’s now assume that one of these private folders is called ‘secret_files’, like in the settings in the image bellow:
In such a situation, ‘weakuser’ can create a file called ‘secret.html’ inside ‘public folder.’ The file will become ‘connected’ to the private ‘secret_files’ folder to which the user has no permissions. Finally, let’s say that some admin user (with higher permissions) copies all public files from ‘public_folder’ to another public location (say, an insecure server, as the files are public). In such a case, the ‘Secret_files’ folder will be also automatically copied to the public location where ‘weakuser’ can access it -> and so, ‘weakuser’ has successfully bypassed access controls.
You can also hide your files
I’m not a supporter of ‘security by obscurity,’ but I still find it interesting (and misleading) that connected files don’t have to share the same features when it comes to visibility. In other words, you can have an HTML file connected to a hidden folder that is hidden while the HTML file is not. I can imagine situations where users are ‘tricked’ into copying a harmless HTML file, which causes them to also copy a malware hidden in a connected folder.
Final thoughts
This weird little feature is not really a big security issue as exploitation (if you can even call it that) requires quite specific circumstances. I consider it more like a peculiar angle of the beast that is Windows’ file system. It definitely confused me when I encountered it at first; hopefully now it will not confuse you either :)