Windows 11 - ThemeBleed RCE PoC Exploit Released.
The Windows Themes vulnerability tracked as CVE-2023-38146, allows remote attackers to execute malicious code and now a proof-of-concept exploit has been posted online.
Also being referred to as "ThemeBleed", it received a high-severity score of 8.8 and can be exploited if the target opens a malicious .THEME file.
One of the researchers who reported the vulnerability to Microsoft on May 15th was Gabe Kirkpatrick, who received $5,000 for discovering the bug.
Gabe then went on to publish a PoC named ThemeBleed here.
How it works:
On Windows, .theme files allow customization of the OS appearance. The .theme files themselves are ini files, which contain configuration details.
Clicking on a.THEME file executes certain files.
This vulnerability specifically deals with the handling of .msstyles files. These are PE (DLL) files that contain resources such as icons to be used in a theme, but (should) contain no code.
When the .theme file is opened, the .msstyles file will also be loaded.
When loading a .msstyles file, the LoadThemeLibrary in uxtheme.dll will check the version of the theme. It will do this by loading the resource named PACKTHEM_VERSION from the binary. If the version it reads is 999, it will then call into another function ReviseVersionIfNecessary.
The ReviseVersionIfNecessary function which is called by the previous step performs several actions. Given a path to a .msstyles file.
It will perform the following:
- Create a new file path by appending _vrf.dll to the .msstyles file path.
- Check if this new _vrf.dll file exists. If not, exit.
- Open the _vrf.dll file
- Verify the signature on the _vrf.dll file. If the signature is invalid, exit.
- Close the _vrf.dll file
- Load the _vrf.dll file as a DLL and call the VerifyThemeVersion function.
The goal of this appears to be to attempt to safely load a signed DLL and call a function. This implementation is flawed however, because the DLL is closed after verifying the signature in step 5, and then re-opened when the DLL is loaded via a call to LoadLibrary in step 6. This provides a race window between those two steps where an attacker may replace the _vrf.dll file that has had its signature verified, with a malicious one that is not signed. That malicious DLL will then be loaded and executed. Gabe writes here.
If a user downloads a .theme file, upon launching it they will receive a security warning due to the presence of Mark-of-the-Web on the file. It turns out this can be bypassed by packaging the .theme file in a .themepack file.
A .themepack file is a cab file containing a .theme file. When a .themepack file is opened, the contained .theme file will be loaded. When opening a .themepack file with Mark-of-the-Web, no warning is displayed, so the warning that would normally be seen is bypassed.
A .themepack file is a cab file containing a .theme file. When a .themepack file is opened, the contained .theme file will be loaded. When opening a .themepack file I chose to use an attacker controlled SMB server for this because a .theme file may point to a .msstyle path on a remote SMB share. Since the SMB share is attacker controlled, it can easily exploit the TOCTOU bug in ReviseVersionIfNecessary by returning a validly signed file when the client first requests it to check the signature, and then a malicious one when the client loads the DLL.
The PoC makes use of the SMBLibrary by Tal Aloni.
Microsoft Fix:
Microsoft released an update in four days of receiving the report, which is very fast for them, removing the "version 999" functionality entirely.
However, Gabe analyzed the fix they released and found that it did not address the TOCTOU issue in the signing of .msstyles files, nor have they added Mark-of-the-Web warnings on .themepack files.
Windows users are recommended to apply Microsoft's September 2023 security updates.
