New identical Windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials vulnerability that might allow attackers to obtain NTLM credentials of compromised systems while fixing CVE-2024-38030, a medium-severity Windows Themes spoofing issue.
Acros Security researchers reported that even though Microsoft recently issued a patch (CVE-2024-38030) to address the associated problem, the risk was not entirely mitigated.
The flaw affects several Windows platforms, including the most recent version of Windows 11 (24H2), possibly exposing a large number of users.
Windows Theme Zero-Day Vulnerability
Tomer Peled, a security researcher at Akamai, decided to investigate Windows theme files last year.
They discovered that when a theme file specified a network file path for some of the theme properties (namely BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including the users.
Ultimate Guide to Manage your SIEM Pricing -> Free Download
This meant that a malicious theme file placed on the desktop or listed in a folder would be sufficient to leak user credentials without any further user activity.
Microsoft addressed this issue three months after receiving the claim (CVE-2024-21320). Researchers then developed patches for Windows computers that were no longer receiving Windows updates after the vulnerability information was disclosed.
Tomer then examined Microsoft’s patch and discovered that it used the PathIsUNC function to determine whether a particular path in a theme file is a network route and, if so, disregarded it.
This should have stopped the leak of NTLM credentials if it weren’t for James Forshaw, who in 2016 detailed several methods of bypassing PathIsUNC.
Tomer discovered that the methods James had mentioned might be used to bypass Microsoft’s CVE-2024-21320 patch. He reported Microsoft for this so they might attempt again. Microsoft fixed the patch and attributed the new issue to CVE-2024-38030.
“While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2”, researchers said.
Therefore, researchers created a more comprehensive patch for Windows theme files that would address all execution paths that result in Windows submitting a network request to a remote host indicated in a theme file just by examining the file.
With their micropatch service, 0patch users are already protected against this 0day. Since there is currently no official vendor fix for this “0day” vulnerability, 0patch is offering the micropatches for free until such a fix becomes available.
Micropatches were created for all currently supported Windows versions with all available Windows Updates installed, as well as for the security-adopted legacy versions of Windows Workstation:
Legacy Windows versions:
- Windows 11 v21H2 – fully updated
- Windows 10 v21H2 – fully updated
- Windows 10 v21H1 – fully updated
- Windows 10 v20H2 – fully updated
- Windows 10 v2004 – fully updated
- Windows 10 v1909 – fully updated
- Windows 10 v1809 – fully updated
- Windows 10 v1803 – fully updated
- Windows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3
Windows versions still receiving Windows Updates:
- Windows 10 v22H2 – fully updated
- Windows 11 v22H2 – fully updated
- Windows 11 v23H2 – fully updated
- Windows 11 v24H2 – fully updated
“Note that patches were only created for Windows Workstation but not for Windows Server.
Researchers explain that “for Windows Themes to work on a server, the Desktop Experience feature needs to be installed (it’s not by default).”
“In addition, for credentials to leak on a server, it’s not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked, and the theme is thus applied.”
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!