ThemeBleed – Code Execution Vulnerability In Windows 11 Themes

A researcher found an interesting vulnerability in Windows 11 Themes that could allow arbitrary code execution. Dubbed “ThemeBleed,” the vulnerability existed due to several other issues that together allowed code execution attacks. Microsoft patched the flaw following the bug report.

PoC Exploit Available For Windows 11 Themes Vulnerability

In a recent post, security researcher Gabe Kirkpatrick has shared details about a serious security vulnerability affecting Windows 11 Themes.

As explained, the researcher observed the issue with .theme files that enable users to customize their operating system appearance. These files include configuration details, and the vulnerability affected the .msstyles files that contain icons.

While these .msstyles files should include no code, the researcher found them otherwise. Thus, opening a .theme file also loaded the .msstyles file and the code.

Next, loading the .msstyles file triggers a theme version check, and encountering version 999 calls another function to load a signed DLL safely. However, due to the DLL closure following the signature verification and the subsequent reloading, a race condition appeared between these steps. An adversary could easily replace the verified DLL with a malicious one, which will then be executed.

Another vulnerability affecting the .theme file is bypassing the Mark-of-the-Web warning by wrapping the theme into a .themepack cab archive file.

Hence, chaining these vulnerabilities allowed an adversary to trick the victims into running maliciously crafted .theme files. Once done, the attacker could achieve code execution on the target device without memory corruption.

The researcher has shared the PoC exploit for this flaw on GitHub, confirming that the issue typically affects Windows 11.

Following this discovery, Kirkpatrick reported the matter to Microsoft in May 2023. The tech giant acknowledged the vulnerability and rewarded the researcher with a $5000 bounty.

Besides, Microsoft labeled this flaw (CVE-2023-38146) as an important severity issue, releasing the patch with September Patch Tuesday updates.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients