Security
Headlines
HeadlinesLatestCVEs

Headline

ThemeBleed exploit is another reason to patch Windows quickly

Categories: Exploits and vulnerabilities Categories: News Tags: theme

Tags: themepack

Tags: Microsoft

Tags: cve-2023-38146

Tags: msstyles

An exploit has been released for a vulnerability in .themes that was patched in the September 2023 Patch Tuesday update.

(Read more…)

The post ThemeBleed exploit is another reason to patch Windows quickly appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#windows#microsoft#rce#samba

Included in the September 2023 Patch Tuesday updates was a fix for a vulnerability which has been dubbed ThemeBleed. A Proof-of-Concept (PoC) exploit has been released by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as CVE-2023-38146: a Windows Themes Remote Code Execution (RCE) vulnerability.

Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying:

“An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.”

A .theme file is a configuration (.ini) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets ([]) inside the .ini file. A .theme file enables you to change the appearance of certain desktop elements.

A related file format, .themepack, was introduced with Windows 7 to help users share themes. A .themepack must include your .theme file, as well as the background picture, screen saver, and icons files.

Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.

The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted .theme file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

The .theme files contain references to .msstyles files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the .msstyles file will also be loaded.

The researcher found that invoking a check of the theme version calls the ReviseVersionIfNecessary function and does not safely load a signed DLL (_vrf.dll), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.

Another problem lies in the fact that if a user were to download a theme from the web, this triggers the ‘mark-of-the-web’ (MOTW) warning. MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. However, this could be bypassed if the attacker wrapped the theme into a .themepack file. When using the .themepack file, the contained .theme opens automatically without serving the MOTW warning.

While Microsoft’s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of .msstyles files. Nor has it added MOTW warnings to .themepack files.

The researcher notes that the vulnerability appears to be only present in Windows 11.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

Themebleed Windows 11 Themes Arbitrary Code Execution

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]

CVE-2023-38146

Windows Themes Remote Code Execution Vulnerability