diff --git a/404.html b/404.html new file mode 100644 index 0000000..f8414f0 --- /dev/null +++ b/404.html @@ -0,0 +1,3 @@ + +404 Not Found +

404 Not Found

diff --git a/CNAME b/CNAME new file mode 100644 index 0000000..eaaa404 --- /dev/null +++ b/CNAME @@ -0,0 +1 @@ +exploits.forsale \ No newline at end of file diff --git a/index.html b/index.html new file mode 100644 index 0000000..4653fba --- /dev/null +++ b/index.html @@ -0,0 +1,24 @@ + + + + + + + + +exploits.forsale + + + + + +
+ + + CVE-2023-38146: Arbitrary Code Execution via Windows Themes + +
+ + + + \ No newline at end of file diff --git a/main.css b/main.css new file mode 100644 index 0000000..1e17c01 --- /dev/null +++ b/main.css @@ -0,0 +1 @@ +html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}blockquote,q{quotes:none}blockquote:before,blockquote:after,q:before,q:after{content:"";content:none}table{border-collapse:collapse;border-spacing:0}body{background:linear-gradient(30deg, #c8d8ea 0%, #fff 100%);color:#0b2441;font-size:18px;font-family:"Times New Roman",Times,serif;line-height:1.5;overflow-wrap:break-word;margin-top:2em;margin-bottom:2em}section{max-width:800px;width:100%;margin:0 auto}@media (max-width: 900px){section{padding:0 1em;box-sizing:border-box}}h1,h2,h3,h4,h5,h6{font-weight:700;margin-bottom:.5em;line-height:1.2;font-family:Verdana,Geneva,Tahoma,sans-serif}h1{font-size:2em}h2{font-size:1.6em}h3{font-size:1em}p,ul,ol{font-weight:300;line-height:1.7;font-size:1em;margin-bottom:1.2em}ul p,ol p{padding:0 0 !important}@media (max-width: 900px){ul,ol{list-style-position:inside}}li{padding:6px 0}em{font-style:italic}strong{font-weight:bold}blockquote{font-style:italic;border-left:3px solid #131313;max-width:600px}blockquote blockquote{margin-left:1em}blockquote p{margin-left:1em}a{font-weight:bold;text-decoration:none}pre,code{font-family:monospace;background:rgba(0,0,0,.0470588235);padding:.2em .5em}pre{box-sizing:border-box;padding:1em;display:block;margin:2em 0;font-size:.8em;line-height:1.4;white-space:pre-wrap;word-break:break-all;word-wrap:break-word;position:relative;width:872px;left:-36px;border:1px #000 inset;background-color:#f9f9f9 !important}@media (max-width: 900px){pre{width:100%;left:0}}pre code{padding:0;font-size:100%;color:inherit;background-color:rgba(0,0,0,0)}small{font-size:.7em;margin:.2 0}small>p{line-height:1.5}.meta{box-sizing:border-box;border:#131313 2px dotted;padding:1em;display:inline-block}.meta>p{margin-bottom:1em}.icon{line-height:0;margin:0;padding:0} \ No newline at end of file diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..ff029cc --- /dev/null +++ b/robots.txt @@ -0,0 +1,4 @@ +User-agent: * +Disallow: +Allow: / +Sitemap: https://exploits.forsale/sitemap.xml diff --git a/sitemap.xml b/sitemap.xml new file mode 100644 index 0000000..f6b0fb3 --- /dev/null +++ b/sitemap.xml @@ -0,0 +1,10 @@ + + + + https://exploits.forsale/ + + + https://exploits.forsale/themebleed/ + 2023-09-13 + + diff --git a/themebleed/index.html b/themebleed/index.html new file mode 100644 index 0000000..e5a86c2 --- /dev/null +++ b/themebleed/index.html @@ -0,0 +1,165 @@ + + + + + + + + +CVE-2023-38146: Arbitrary Code Execution via Windows Themes + + + + + +
+

CVE-2023-38146: Arbitrary Code Execution via Windows Themes

+

2023 - Sep 13 • gabe_k • + + + + Mastodon + + + + + mastodon + +

+ +

This is a fun bug I found while poking around at weird Windows file formats. It's a kind of classic Windows style vulnerability featuring broken signing, sketchy DLL loads, file races, cab files, and mark-of-the-web silliness. It was also my first experience submitting to the MSRC Windows bug bounty since leaving Microsoft in April of 2022.

+

In the great tradition of naming vulnerabilities, I've lovingly named this one ThemeBleed (no logo as of yet but I'm accepting submissions.)

+

Overall it was a lot of fun finding and PoC-ing this vulnerability, and MSRC was incredibly fast in responding and judging it for bounty :^]

+
+

Below is a slightly modified version of the report I sent to Microsoft. After the report is a timeline and my notes on their fix.

+
+

Summary

+

A series of issues exist on Windows 11 which can lead to arbitrary code being executed when a user loads a .theme file.

+

Bug Details

+

1. Background

+

On Windows, .theme files allow customization of the OS appearance. The .theme files themselves are ini files, which contain configuration details. Clicking on a .theme file on Windows 11 will invoke the following command:

+
"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>
+
+

This vulnerability specifically deals with the handling of .msstyles files. These are PE (DLL) files that contain resources such as icons to be used in a theme, but (should) contain no code. A .msstyles file can be referenced in a .theme file in the following way:

+
[VisualStyles]
+Path=%SystemRoot%\resources\Themes\Aero\Aero.msstyles
+
+

When the .theme file is opened, the .msstyles file will also be loaded.

+

2. The "Version 999" Check

+

When loading a .msstyles file, the LoadThemeLibrary in uxtheme.dll will check the version of the theme. It will do this by loading the resource named PACKTHEM_VERSION from the binary. If the version it reads is 999, it will then call into another function ReviseVersionIfNecessary. A decompiled version of this function with the relevant parts commented can be seen below:

+
__int64 __fastcall LoadThemeLibrary(const WCHAR *msstyles_path, HMODULE *out_module, int *out_version)
+{
+  HMODULE module_handle;
+  signed int result;
+  int version;
+  signed int return_val;
+  unsigned int resource_size;
+  __int16 *version_ptr;
+
+  if ( out_version )
+    *out_version = 0;
+  module_handle = LoadLibraryExW(msstyles_path, 0, 2u);
+  if ( !module_handle )
+    return (unsigned int)MakeErrorLast();
+  result = GetPtrToResource(
+             module_handle,
+             L"PACKTHEM_VERSION",
+             (const unsigned __int16 *)1,
+             (void **)&version_ptr,
+             &resource_size); // !!! [1] version number is extracted from resource "PACKTHEM_VERSION"
+  if ( result < 0 || resource_size != 2 )
+    goto LABEL_22;
+  version = *version_ptr;
+  if ( out_version )
+    *out_version = version;
+  return_val = -2147467259;
+  if ( version >= 4 )
+  {
+    if ( version > 4 )
+      result = -2147467259;
+    return_val = result;
+  }
+  if ( return_val < 0 && (_WORD)version == 999 ) // !!! [2] special case for version 999
+  {
+    resource_size = 999;
+    return_val = ReviseVersionIfNecessary(msstyles_path, 999, (int *)&resource_size); // !!! [3] call to `ReviseVersionIfNecessary`
+...
+}
+
+

3. Time-of-Check-Time-of-Use in ReviseVersionIfNecessary Allows Signature Bypass

+

The ReviseVersionIfNecessary function which is called by the previous step performs several actions. Given a path to a .msstyles file, it will perform the following:

+ +

The goal of this appears to be to attempt to safely load a signed DLL and call a function. This implementation is flawed however, because the DLL is closed after verifying the signature in step 5, and then re-opened when the DLL is loaded via a call to LoadLibrary in step 6. This provides a race window between those two steps where an attacker may replace the _vrf.dll file that has had its signature verified, with a malicious one that is not signed. That malicious DLL will then be loaded and executed.

+

4. Mark-of-The-Web Bypass

+

If a user downloads a .theme file, upon launching it they will receive a security warning due to the presence of Mark-of-The-Web on the file. It turns out this can be bypassed by packaging the .theme file in a .themepack file.

+

A .themepack file is a cab file containing a .theme file. When a .themepack file is opened, the contained .theme file will be loaded. When opening a .themepack file with mark-of-the-web, no warning is displayed, so the warning that would normally be seen is bypassed.

+

Proof of Concept

+

I developed a PoC for this issue. The PoC consists of two components, an SMB server executable to be run on an attacker's machine, and a .theme file to be opened on the target's machine.

+

I chose to use an attacker controlled SMB server for this because a .theme file may point to a .msstyle path on a remote SMB share. Since the SMB share is attacker controlled, it can easily exploit the TOCTOU bug in ReviseVersionIfNecessary by returning a validly signed file when the client first requests it to check the signature, and then a malicious one when the client loads the DLL.

+

The PoC can be found here: https://github.com/gabe-k/themebleed

+

Environment Prep

+

To run the PoC you will need two machines, one attacker machine which will run the SMB server, and one target machine where you will load the .theme file. Below are the requirements for the respective machines:

+

Attacker machine

+ +

Target machine

+ +

Repro Steps

+
    +
  1. Create the .theme file by running: themebleed.exe <attacker machine ip> exploit.theme
  2. +
  3. On the attacker machine run: themebleed.exe server
  4. +
  5. On the target machine open exploit.theme
  6. +
+

This should result in the calculator opening on the target machine. This shows that arbitrary code has been executed.

+

Credits

+

The PoC makes use of the SMBLibrary by Tal Aloni

+

Conclusion

+

This is a reliable vulnerability that goes from loading a theme to downloading and executing code without memory corruption. Additionally this vulnerability appears to be new and only present in Windows 11. I would request that this submission be considered for bounty.

+

To fix this vulnerability I would recommend:

+ +
+

End of original report

+
+

Reporting Timeline

+ +

Microsoft Fix Analysis

+

Microsoft's released fix for the issue removed the "version 999" functionality entirely. While that migitates this specific exploit, it still does not address the TOCTOU issue in the signing of .msstyles files.

+

Additionally Microsoft has not added Mark-of-the-Web warnings on .themepack files.

+ +

extra thnx

+

lander brandt - wellness director
+squiffy - transportation coordinator
+doomy - cultural attache
+ian - covid response
+james willy - support (emotional/financial/millitary)

+ +
+ + + + \ No newline at end of file