RCE ThemeBleed bug discovered in Windows 11 with a test exploit

Proof of exploit code has been published for a vulnerability in Windows Themes, identified as CVE-2023-38146, which allows remote attackers to execute code on the system. This security issue, also known as ThemeBleed, has been given a high severity rating of 8.8. This vulnerability could be exploited if the user opened a maliciously crafted .THEME file created by the attacker.

Details about ThemeBleed

The vulnerability was discovered by Gabe Kirkpatrick, one of the researchers who reported the issue to Microsoft on May 15. For reporting the flaw, Kirkpatrick received a $5000 reward. CVE-2023-38146 was patched by Microsoft two days ago, during Patch Tuesday September 2023.

A flaw discovered via "weird Windows file formats"

Kirkpatrick found the vulnerability while analyzing "strange Windows file formats," including the .THEME file format used to customize the appearance of the operating system. These files contain references to '.msstyles' files, which should only consist of graphic assets that are loaded when the theme file is opened.

Exploitation method and solution

The researcher noted that when the version number "999" is used, the process for handling .MSSTYLES files has a significant discrepancy between when the signature of a DLL ("_vrf.dll") is verified and when where it is loaded, creating a race condition. With the use of a specially crafted .MSSTYLES file, an attacker can exploit a race window to replace a verified DLL with a malicious one, thus allowing them to execute arbitrary code on the target machine. Microsoft fixed the problem by completely removing the "version 999" functionality. However, the underlying race condition remains, Kirkpatrick says. Furthermore, the researcher points out that downloading a theme file from the web generates the "mark-of-the-web" warning, which can warn the user of the threat. However, this can be bypassed if the attacker encapsulates the theme in a .THEMEPACK file, a CAB archive. When the CAB file is run, the content theme opens automatically without showing the "mark-of-the-web" warning. Microsoft has not, at this time, addressed the lack of "mark-of-the-web" warnings for themepack files. Windows users are advised to apply Microsoft's September 2023 security update package as soon as possible, as it addresses two currently exploited zero-day vulnerabilities and 57 other security issues in various applications and system components.