Friday, April 19, 2024

Windows11 Themes vulnerability Let Attackers Execute Arbitrary Code

An Arbitrary code execution vulnerability has been found in Windows 11. This vulnerability is a result of several factors, such as a Time-of-Check Time-of-Use (TOCTOU) race condition, malicious DLL, cab files, and the absence of Mark-of-the-Web validation.

This particular vulnerability can be exploited by a threat actor using a .theme file used for changing the appearance of Windows OS and supported by Windows 11. Microsoft Security Response Center (MSRC) has been alerted about this vulnerability.

CVE-2023-38146: Windows Themes Arbitrary Code Execution

Windows 11 supports .themefiles, which can be used to customize OS appearance. The icons to be used in the theme are mentioned in a .msstyles file, which can be referenced in a .theme file. When the .theme file is clicked, it executes certain commands along with the execution of rundll32.exe.

“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

Commands that are executed when a .theme file is opened (Source:


Referencing a .msstyles file in a .theme file (Source:

“Version 999” Check & Time-of-Check-Time-of-Use

During the loading of the .msstyles file, LoadThemeLibrary in uxtheme.dll checks the version of the theme by loading the PACKTHEM_VERSION resource. If the version is read as 999, the ReviseVersionIfNecessary is called. 

If the .msstyle is given a path, the ReviseVersionIfNecessary creates a new file path, which appends _vrf.dll to the .msstyles file path. After this, the signature on the _vrf.dll file is verified. 

Following the verification, the _vrf.dll is closed and then loaded as the DLL file post, which the VerifyThemeVersion is called.

A threat actor can utilize this particular time frame between the closing and loading of the _vrf.dll to replace the verified DLL with a malicious DLL and perform arbitrary code execution on the system.

Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Mark-of-the-Web Bypass

In addition, a .theme file downloaded from the internet will contain a security warning due to the presence of “Mark-of-the-Web” on the file, which can be bypassed by embedding the .theme file in a .themepack file.

This is because .themepack pack does not show a “Mark-of-the-Web” warning.

Proof of Concept

A GitHub repository has been published as a proof-of-concept about this vulnerability, consisting of two components: an SMB server executable and a .theme file. 

“Microsoft’s released fix for the issue removed the “version 999” functionality entirely. While that mitigates this specific exploit, it still does not address the TOCTOU issue in the signing of .msstyles files. Additionally, Microsoft has not added Mark-of-the-Web warnings on .themepack files.” reads the post by the researcher.

In addition to this, the steps to reproduce the vulnerability, along with the steps to fix this vulnerability, have also been disclosed. Organizations using Windows 11 should follow the steps to prevent this vulnerability from getting exploited.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles