October 3, 2023

A working PoC was released by a researcher for a vulnerability tracked as CVE-2023-38146 and has a CVSS score of 8.8, this code execution bug finds its home in Windows Themes released as a part of this month patch Tuesday release.

Thijs Alkemade, Khaled Nassar, Daan Keuper from Computest Sector 7, and Gabe Kirkpatrick, the masterminds behind its discovery, showcased how exploitation could pave the way for attackers to execute arbitrary code.


To exploit the vulnerability, the attacker would have to persuade a targeted user to load a Windows Themes file— particularly a `.theme` file—on a system that has access to an attacker-managed SMB share.

To those uninitiated, a `.theme` file in the Windows environment serves as a means of customizing the OS’s appearance. These files, fundamentally INI files, carry configuration details. When invoked on Windows 11, a `.theme` file executes the following command:

“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

This discovery was more concerned with the processing of .msstyles files, which are DLL files containing resources, such as icons, to be incorporated in a theme. They shouldn’t contain any such code.

The crux of the CVE-2023-38146 vulnerability hinges on the version checking of themes. When the theme’s version reads as 999, it delves into another function, dubbed `ReviseVersionIfNecessary`.

Kirkpatrick went the extra mile by developing a PoC to shed light on this issue. He employed an attacker-controlled SMB server as the `.theme` file might direct to a .msstyle path on a distant SMB share. Leveraging this SMB share’s control, the attacker can exploit the TOCTOU bug in `ReviseVersionIfNecessary`.

Microsoft’s initial step towards mitigation was the removal of the “version 999” functionality during their September Patch Tuesday security update. However, this only counters this particular exploit and overlooks the TOCTOU concern in the .msstyles files’ signing.


The researcher’s recommendations for rectifying this vulnerability include:

  • Completely doing away with the “version 999” functionality.
  • Employing standard Windows procedures for signing and verifying the `_vrf.dll` binary.
  • Prohibiting the loading of resources from remote shares in theme files.
  • Introducing Mark-of-the-Web warnings to `.themepack` files.

Leave a Reply

%d bloggers like this: