The proof-of-concept (PoC) exploit code for a high-severity remote code execution (RCE) vulnerability in Windows Themes, known as ThemeBleed and tracked as CVE-2023-38146, has been made public. This vulnerability allows remote attackers to execute code if a user opens a malicious .THEME file. The PoC exploit code was released by researcher Gabe Kirkpatrick, who initially reported the vulnerability to Microsoft on May 15 and received a $5,000 reward for identifying the bug. Microsoft released a patch for the vulnerability in its September 2023 Patch Tuesday update.
The vulnerability was discovered by Kirkpatrick during an examination of unusual Windows file formats, including .THEME files used to customize the operating system's appearance. These files reference '.msstyles' files, which should only contain graphical resources loaded when the theme file is opened. However, Kirkpatrick noticed a significant discrepancy when a version number '999' is used in the handling of the .MSSTYLES file. This discrepancy occurs between the time a DLL’s ('_vrf.dll') signature is verified and when the library loads, resulting in a race condition.
An attacker can exploit this race window by replacing a verified DLL with a malicious one using a specially crafted .MSSTYLES file. This allows them to execute arbitrary code on the target machine. Kirkpatrick's PoC exploit triggers the opening of the Windows Calculator when a user launches a theme file.
Kirkpatrick also noted that downloading a theme file from the internet activates the 'mark-of-the-web' warning, potentially alerting the user to the threat. However, this warning can be circumvented if the attacker packages the theme into a .THEMEPACK file, a type of CAB archive. When the CAB file is launched, the contained theme opens automatically without triggering the mark-of-the-web warning.
Microsoft addressed the issue by completely removing the 'version 999' functionality. However, Kirkpatrick points out that the underlying race condition is still present. Microsoft also did not address the lack of mark-of-the-web warnings for .THEMEPACK files. It is recommended that Windows users apply Microsoft's September 2023 security updates as soon as possible, as these updates fix two zero-day vulnerabilities currently being actively exploited, along with another 57 security issues in various applications and system components.