Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit

Proof-of-concept exploit code has been published for a Windows Themes vulnerability tracked as CVE-2023-38146 that allows remote attackers to execute code.

The security issue is also referred to as ThemeBleed, and received a high-severity score of 8.8. It can be exploited if the target user opens a malicious .THEME file crafted by the attacker.

The exploit code was released by Gabe Kirkpatrick, one of the researchers who reported the vulnerability to Microsoft on May 15 and received $5,000 for the bug.

Microsoft addressed CVE-2023-38146 two days ago in the September 2023 Patch Tuesday.

ThemeBleed details

Kirkpatrick found the vulnerability while looking at "weird Windows file formats," one of them being .THEME for files used to customize the appearance of the operating system.

These files contain references to ‘.msstyles’ files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened.

The researcher noticed that when a version number “999” is used, the routine for handling the .MSSTYLES file includes a major discrepancy between the time a DLL’s (“_vrf.dll”) signature is verified and when the library loads, creating a race condition.

Using a specially crafted .MSSTYLES, an attacker can exploit a race window to replace a verified DLL with a malicious one, thus allowing them to run arbitrary code on the target machine.

Kirkpatrick created a PoC exploit that opens the Windows Calculator when the user launches a theme file.

The researcher also notes that downloading a theme file from the web triggers the 'mark-of-the-web' warning, which could alert the user of the threat. However, this could be bypassed if the attacker wraps the theme into a .THEMEPACK file, which is a CAB archive.

When launching the CAB file, the contained theme opens automatically without serving the mark-of-the-web warning.

Microsoft fixed the issue by removing the “version 999” functionality completely. However, the underlying race condition remains, Kirkpatrick says. Additionally, Microsoft did not address the absence of mark-of-the-web warnings for themepack files.

Windows users are recommended to apply Microsoft's September 2023 security updates pack as soon as possible, as it fixes two zero-day vulnerabilities that are under active exploitation, and another 57 security problems in various apps and system components.