CVE-2023-38146
a vulnerability was found in Microsoft Windows 11 21H2/11 22H2 (Operating System). It has been rated as critical. Affected by this issue is some unknown processing of the component Themes. Impacted is confidentiality, integrity, and availability.
the weakness was presented 09/12/2023 as confirmed security guidance (website). the advisory is shared for download at portal.msrc.microsoft.com. This vulnerability is handled as CVE-2023-38146. Successful exploitation requires user interaction by the victim. Technical details are unknown but a public exploit is available. The current price for an exploit might be approx. USD 5k (estimation calculated on 10/11/2023).
the exploit is available at github.com. It is declared as proof-of-concept. As 0-day the estimated underground price was around 100k.
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
exploit
The original exploit
┌──(kali㉿kali)-[~/archive/htb/labs/aero]
└─$ wget -q https://github.com/gabe-k/themebleed/releases/download/v1/ThemeBleed.zip ; unzip ThemeBleed.zip
Archive: ThemeBleed.zip
creating: ThemeBleed/data/
inflating: ThemeBleed/data/stage_1
inflating: ThemeBleed/data/stage_2
inflating: ThemeBleed/data/stage_3
inflating: ThemeBleed/SMBLibrary.dll
inflating: ThemeBleed/SMBLibrary.Win32.dll
inflating: ThemeBleed/ThemeBleed.exe
inflating: ThemeBleed/ThemeBleed.pdb The author included 3 binary files in the data directory, and the data/stage_3 file is the final DLL payload, which launches cacl.exe for PoC
- In order to gain a foothold, I would need to supply a custom DLL payload and name it
stage_3- The author also noted that custom DLL must be created with an export named,
VerifyThemeVersion, containing the code - A custom DLL payload will be created
- The author also noted that custom DLL must be created with an export named,
ThemeBleed.exeis a Windows specific executable- Exploitation must be conducted from a Windows host