Researcher Discloses Windows Themes RCE Bug and PoC Exploit

CVE-2023-38146

In the fast-paced realm of cybersecurity, vulnerabilities often emerge from unexpected quarters. A recent discovery made by cybersecurity researchers, which draws attention to Microsoft Windows’ aesthetic functionalities, serves as a stark reminder that even something as seemingly innocuous as a theme could be an attacker’s gateway.

Dubbed by the researchers as CVE-2023-38146 and boasting a significant CVSS score of 8.8, this code execution bug finds its home in Windows Themes. Thijs Alkemade, Khaled Nassar, Daan Keuper from Computest Sector 7, and Gabe Kirkpatrick, the masterminds behind its discovery, showcased how exploitation could pave the way for attackers to execute arbitrary code.

CVE-2023-38146

In essence, for the vulnerability to be exploited, the attacker would have to persuade a targeted user to load a Windows Themes file— particularly a `.theme` file—on a system that has access to an attacker-managed SMB share.

To those uninitiated, a `.theme` file in the Windows environment serves as a means of customizing the OS’s appearance. These files, fundamentally INI files, carry configuration details. When invoked on Windows 11, a `.theme` file executes the following command:
“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

Our researchers’ discovery was more concerned with the processing of .msstyles files, which are DLL files containing resources, such as icons, to be incorporated in a theme. The alarming detail? They shouldn’t contain any code.

The crux of the CVE-2023-38146 vulnerability hinges on the version checking of themes. When the theme’s version reads as 999, it delves into another function, dubbed `ReviseVersionIfNecessary`.

Kirkpatrick went the extra mile by developing a PoC to shed light on this issue. He employed an attacker-controlled SMB server as the `.theme` file might direct to a .msstyle path on a distant SMB share. Leveraging this SMB share’s control, the attacker can exploit the TOCTOU bug in `ReviseVersionIfNecessary`.

For those interested in diving deep, the PoC is available for perusal here.

The researcher’s recommendations for rectifying this vulnerability include:

  • Completely doing away with the “version 999” functionality.
  • Employing standard Windows procedures for signing and verifying the `_vrf.dll` binary.
  • Prohibiting the loading of resources from remote shares in theme files.
  • Introducing Mark-of-the-Web warnings to `.themepack` files.

Microsoft’s initial step towards mitigation was the removal of the “version 999” functionality during their September Patch Tuesday security update. However, this only counters this particular exploit and overlooks the TOCTOU concern in the .msstyles files’ signing.