09-20-2023, 06:07 PM
Exploit code and PoC has been released for a vulnerability in Windows themes identified as CVE-2023-38146 that allows remote attackers to execute code. Microsoft addressed and fixed CVE-2023-38146 two days ago in the September 2023 Patch Tuesday.
The security issue is also known as ThemeBleed and received a high severity score of 8.8. It can be exploited if the targeted user opens a malicious .THEME file created by the attacker.
The exploit code was published by Gabe Kirkpatrick, one of the researchers who reported the vulnerability to Microsoft on May 15 and received $5,000 for the bug.
Kirkpatrick found the vulnerability while looking for "strange Windows file formats," one of which was .THEME for files used to customize the appearance of the operating system. These files contain references to '.msstyles' files, which should not contain code, only graphical resources that are loaded when the theme file that invokes them is opened.
Using a specially crafted .MSSTYLES, an attacker can exploit a time window to replace a verified DLL with a malicious one, allowing him to execute arbitrary code on the target machine.
Kirkpatrick created a PoC exploit that opens the Windows Calculator when the user starts a theme file. The researcher also notes that downloading a theme file from the web and with mark-of-the-web warning could alert the user to the threat. However, this could be avoided if the attacker wraps the theme in a .THEMEPACK file, which is a CAB file. When the CAB file is launched, the contained theme opens automatically without displaying the web branding warning.
Microsoft fixed the problem by completely removing the "version 999" functionality. However, the underlying TOCTOU condition persists, Kirkpatrick says. In addition, Microsoft did not address the absence of Web markup warnings for theme package files.
Windows users are advised to apply Microsoft's September 2023 security update package from Microsoft as soon as possible, as it fixes two Zero-Days vulnerabilities that are under active exploitation and 57 other security issues in various applications and system components.
The researcher noticed that when using a '999' version number, the routine for handling the .MSSTYLES file includes a significant discrepancy between when a DLL signature ("_vrf.dll") is checked and when the library is loaded, creating a TOCTOU (Time to Check - Time to Use) type race condition.
The security issue is also known as ThemeBleed and received a high severity score of 8.8. It can be exploited if the targeted user opens a malicious .THEME file created by the attacker.
The exploit code was published by Gabe Kirkpatrick, one of the researchers who reported the vulnerability to Microsoft on May 15 and received $5,000 for the bug.
Kirkpatrick found the vulnerability while looking for "strange Windows file formats," one of which was .THEME for files used to customize the appearance of the operating system. These files contain references to '.msstyles' files, which should not contain code, only graphical resources that are loaded when the theme file that invokes them is opened.
Using a specially crafted .MSSTYLES, an attacker can exploit a time window to replace a verified DLL with a malicious one, allowing him to execute arbitrary code on the target machine.
Kirkpatrick created a PoC exploit that opens the Windows Calculator when the user starts a theme file. The researcher also notes that downloading a theme file from the web and with mark-of-the-web warning could alert the user to the threat. However, this could be avoided if the attacker wraps the theme in a .THEMEPACK file, which is a CAB file. When the CAB file is launched, the contained theme opens automatically without displaying the web branding warning.
Microsoft fixed the problem by completely removing the "version 999" functionality. However, the underlying TOCTOU condition persists, Kirkpatrick says. In addition, Microsoft did not address the absence of Web markup warnings for theme package files.
Windows users are advised to apply Microsoft's September 2023 security update package from Microsoft as soon as possible, as it fixes two Zero-Days vulnerabilities that are under active exploitation and 57 other security issues in various applications and system components.
The researcher noticed that when using a '999' version number, the routine for handling the .MSSTYLES file includes a significant discrepancy between when a DLL signature ("_vrf.dll") is checked and when the library is loaded, creating a TOCTOU (Time to Check - Time to Use) type race condition.
