An Arbitrary code execution vulnerability has been found in Windows 11. This vulnerability is a result of several factors, such as a Time-of-Check Time-of-Use (TOCTOU) race condition, malicious DLL, cab files, and the absence of Mark-of-the-Web validation.
This particular vulnerability can be exploited by a threat actor using a .theme file used for changing the appearance of Windows OS and supported by Windows 11. Microsoft Security Response Center (MSRC) has been alerted about this vulnerability.
CVE-2023-38146: Windows Themes Arbitrary Code Execution
Windows 11 supports .themefiles, which can be used to customize OS appearance. The icons to be used in the theme are mentioned in a .msstyles file, which can be referenced in a .theme file. When the .theme file is clicked, it executes certain commands along with the execution of rundll32.exe.
| “C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path> |
Commands that are executed when a .theme file is opened (Source: exploits.forsale)
| [VisualStyles] Path=%SystemRoot%\resources\Themes\Aero\Aero.msstyles |
Referencing a .msstyles file in a .theme file (Source: exploits.forsale)
“Version 999” Check & Time-of-Check-Time-of-Use
During the loading of the .msstyles file, LoadThemeLibrary in uxtheme.dll checks the version of the theme by loading the PACKTHEM_VERSION resource. If the version is read as 999, the ReviseVersionIfNecessary is called.
If the .msstyle is given a path, the ReviseVersionIfNecessary creates a new file path, which appends _vrf.dll to the .msstyles file path. After this, the signature on the _vrf.dll file is verified.
Following the verification, the _vrf.dll is closed and then loaded as the DLL file post, which the VerifyThemeVersion is called.
A threat actor can utilize this particular time frame between the closing and loading of the _vrf.dll to replace the verified DLL with a malicious DLL and perform arbitrary code execution on the system.
Mark-of-the-Web Bypass
In addition, a .theme file downloaded from the internet will contain a security warning due to the presence of “Mark-of-the-Web” on the file, which can be bypassed by embedding the .theme file in a .themepack file.
This is because .themepack pack does not show a “Mark-of-the-Web” warning.
Proof of Concept
A GitHub repository has been published as a proof-of-concept about this vulnerability, consisting of two components: an SMB server executable and a .theme file.
“Microsoft’s released fix for the issue removed the “version 999” functionality entirely. While that mitigates this specific exploit, it still does not address the TOCTOU issue in the signing of .msstyles files. Additionally, Microsoft has not added Mark-of-the-Web warnings on .themepack files.” reads the post by the researcher.
In addition to this, the steps to reproduce the vulnerability, along with the steps to fix this vulnerability, have also been disclosed. Organizations using Windows 11 should follow the steps to prevent this vulnerability from getting exploited.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
