Wednesday, November 13, 2024
HomeCyber Security NewsWindows11 Themes vulnerability Let Attackers Execute Arbitrary Code

Windows11 Themes vulnerability Let Attackers Execute Arbitrary Code

Published on

Malware protection

An Arbitrary code execution vulnerability has been found in Windows 11. This vulnerability is a result of several factors, such as a Time-of-Check Time-of-Use (TOCTOU) race condition, malicious DLL, cab files, and the absence of Mark-of-the-Web validation.

This particular vulnerability can be exploited by a threat actor using a .theme file used for changing the appearance of Windows OS and supported by Windows 11. Microsoft Security Response Center (MSRC) has been alerted about this vulnerability.

CVE-2023-38146: Windows Themes Arbitrary Code Execution

Windows 11 supports .themefiles, which can be used to customize OS appearance. The icons to be used in the theme are mentioned in a .msstyles file, which can be referenced in a .theme file. When the .theme file is clicked, it executes certain commands along with the execution of rundll32.exe.

- Advertisement - SIEM as a Service
“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

Commands that are executed when a .theme file is opened (Source: exploits.forsale)

[VisualStyles]
Path=%SystemRoot%\resources\Themes\Aero\Aero.msstyles

Referencing a .msstyles file in a .theme file (Source: exploits.forsale)

“Version 999” Check & Time-of-Check-Time-of-Use

During the loading of the .msstyles file, LoadThemeLibrary in uxtheme.dll checks the version of the theme by loading the PACKTHEM_VERSION resource. If the version is read as 999, the ReviseVersionIfNecessary is called. 

If the .msstyle is given a path, the ReviseVersionIfNecessary creates a new file path, which appends _vrf.dll to the .msstyles file path. After this, the signature on the _vrf.dll file is verified. 

Following the verification, the _vrf.dll is closed and then loaded as the DLL file post, which the VerifyThemeVersion is called.

A threat actor can utilize this particular time frame between the closing and loading of the _vrf.dll to replace the verified DLL with a malicious DLL and perform arbitrary code execution on the system.

Mark-of-the-Web Bypass

In addition, a .theme file downloaded from the internet will contain a security warning due to the presence of “Mark-of-the-Web” on the file, which can be bypassed by embedding the .theme file in a .themepack file.

This is because .themepack pack does not show a “Mark-of-the-Web” warning.

Proof of Concept

A GitHub repository has been published as a proof-of-concept about this vulnerability, consisting of two components: an SMB server executable and a .theme file. 

“Microsoft’s released fix for the issue removed the “version 999” functionality entirely. While that mitigates this specific exploit, it still does not address the TOCTOU issue in the signing of .msstyles files. Additionally, Microsoft has not added Mark-of-the-Web warnings on .themepack files.” reads the post by the researcher.

In addition to this, the steps to reproduce the vulnerability, along with the steps to fix this vulnerability, have also been disclosed. Organizations using Windows 11 should follow the steps to prevent this vulnerability from getting exploited.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...