Amr Ashraf

Amr Ashraf

Computer engineer interested in reverse engineering, forensics and malware analysis

CVE-2023-38146 Analysis

1 minute read

overview

CVE-2023-38146 is an Arbitrary Code Execution via Windows Themes which is a file format responsible for customization of the OS appearance.

the .theme file is just a file containing configuration for the customization of the OS appearance.

error

Environment Setup

this vulnerability only started with Windows 11 specifically in uxtheme.dll, So we can get a vulnerable version of the DLL from C:\Windows\WinSxS where an old version of Dll can be found there after the update.

the update was on 12-9-2023 so we need to grab one before that date.

placing the component needs in the same place to make our vulnerable DLL come first in the search order and now our vulnerable DLL gets used.

analysis

Double-clicking in the .theme file will result in executing the following command.

error

"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

firing up ida in a vulnerable system and looking around the code, found that there is an extension other than .theme handled there.

error

looking inside the “.theme” file there is a reference to .msstyles file format but actually, it’s a DLL file.

error

error

this Dll gets loaded as data in the address space of the process then a resource inside it gets checked.

error

if the version in the resource is equal to “999” ReviseVersionIfNecessary gets called which is the vulnerable function.

let us check what is happening inside.

error

  • append _vrf.dll to the end of the msstyles file.
  • opens it
  • check its signature
  • close the file
  • load the DLL
  • call verifyThemeVersion inside it.

you may have noticed what could go wrong here, there is an obvious race condition after the time of signature verification because if the place where the DLL resides is an attacker-controlled “SMB Server” the DLL can be replaced between the time of the check and the time of load.