module

Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146

Try Surface Command
Back to search
Disclosed
09/13/2023
Created
01/04/2024

Description

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the
msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll
file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by
opening the file for reading and verifying the signature before opening the file for execution.
Because this action is performed in two discrete operations, it opens the procedure for a time of check to
time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can
serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name
when the host intends to load/execute the dll.

Authors

gabe_kbwatters-r7Spencer McIntyre

Platform

Windows

Architectures

x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

    msf > use exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146
    msf /(6) > show actions
        ...actions...
    msf /(6) > set ACTION < action-name >
    msf /(6) > show options
        ...show and set options...
    msf /(6) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today