TL;DR: While patching CVE-2024-38030, we found another similar issue, reported it to Microsoft and created free micropatches for 0patch users on both legacy and still-supported Windows versions so they don’t have to wait for an official patch.

When last year Akamai security researcher Tomer Peled decided to look into Windows themes files, they found that when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user’s NTLM credentials when such theme file would be viewed in Windows Explorer. This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action.

Microsoft patched this issue (CVE-2024-21320) three months after receiving the report, and when vulnerability details were shared, we created patches for Windows systems that were no longer receiving Windows updates.

Tomer then looked at Microsoft’s patch and noticed that it used function PathIsUNC to check if a given path in a theme file is a network path, and if so, disregarded such path. This should have prevented NTLM credentials leaks, if it weren’t for James Forshaw, who described multiple ways of bypassing function PathIsUNC back in 2016. Tomer noticed that tricks described by James could be used to bypass Microsoft’s patch for CVE-2024-21320, and reported that to Microsoft so they could try again.

Microsoft did fix their patch and assigned CVE-2024-38030 to the new issue.

When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well. (We admit, we trusted Microsoft’s choice on using PathIsUNC, but will be more careful going forward.) While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.

So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.

We were surprised Microsoft did not find this additional instance when fixing Tomer’s initially reported issue. Namely, in their blog post about “Additional Fixes” Microsoft described their process of finding “variations” of reported vulnerabilities:

“The MSRC Engineering team reviews the affected component of each
externally reported vulnerability. One part of the review is the
“Hacking for Variations” (HfV) stage, which helps mitigate the threat of
variants being discovered after the update is released. The HfV process
is jointly undertaken by MSRC-Engineering and the product team. It
involves reviewing the source code and the bug database as well as
fuzzing the component and hurling it through our gauntlet of tools; many
of which are new or have been updated since the component was first
written.”

Admittedly, said blog post was issued in 2011, and the only other Google hits on “Hacking for Variations” are also from 2011 or earlier. In any case, looking for bug variations seems like something every software vendor should be doing when learning about a security issue in their product.

Be that as it may, we reported our 0day to Microsoft and will withhold details from public until they have re-fixed their patch. Meanwhile, 0patch users are already protected against this 0day with our micropatch.

Here’s a video of this 0day, and of our micropatch fixing it. The video shows fully updated Windows 11 24H2 (on the left side), which includes Microsoft’s patches for CVE-2024-21320 and CVE-2024-38030. As you can see, just copying a malicious theme file to desktop results in a network connection with user’s NTLM credentials to attacker’s machine (on the right side). Subsequently, 0patch is enabled on Windows, and now copying the same theme file to desktop results in no network connections and no credentials leak because our patch has correctly detected a network path in the theme file, and blocked it.

Micropatch Availability

Since
this is a “0day” vulnerability with no official vendor fix available,
we are providing our micropatches for free until such fix becomes
available.

Micropatches were written both for our security-adopted legacy versions of Windows Workstation, and all still-supported Windows versions with all available Windows Updates installed:

 

 Legacy Windows versions:

Windows 11 v21H2 – fully updatedWindows 10 v21H2 – fully updatedWindows 10 v21H1 – fully updatedWindows 10 v20H2 – fully updatedWindows 10 v2004 – fully updatedWindows 10 v1909 – fully updatedWindows 10 v1809 – fully updatedWindows 10 v1803 – fully updatedWindows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3

 Windows versions still receiving Windows Updates:

Windows 11 v22H2 – fully updatedWindows 10 v23H2 – fully updatedWindows 10 v24H2 – fully updated 

 

Note that patches were only created for Windows Workstation but not for Windows Server. This is because for Windows Themes to work on a server, the Desktop Experience feature needs to be installed (it’s not by default). In addition, for credentials leak to occur on a server it’s not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied. Actually applying a Windows theme from an untrusted source is, from the security perspective, not very different from launching an untrusted executable. Getting a user to view a theme file in Windows Explorer, on the other hand, may be a simple matter of forcing a download of the theme file while the user is on attacker’s web page, then waiting for the user to open the Downloads folder (depending on the view type of the Downloads folder).

Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.

If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.

We would like to thank Tomer Peled of Akamai for sharing details of CVE-2024-38030. This prompted us to take a deeper look at theme files, find this additional issue, and allowed us to create a micropatch to fix it for 0patch users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Article Link: 0patch Blog: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day)

1 post – 1 participant

Read full topic

​TL;DR: While patching CVE-2024-38030, we found another similar issue, reported it to Microsoft and created free micropatches for 0patch users on both legacy and still-supported Windows versions so they don’t have to wait for an official patch.When last year Akamai security researcher Tomer Peled decided to look into Windows themes files, they found that when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user’s NTLM credentials when such theme file would be viewed in Windows Explorer. This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action.Microsoft patched this issue (CVE-2024-21320) three months after receiving the report, and when vulnerability details were shared, we created patches for Windows systems that were no longer receiving Windows updates.Tomer then looked at Microsoft’s patch and noticed that it used function PathIsUNC to check if a given path in a theme file is a network path, and if so, disregarded such path. This should have prevented NTLM credentials leaks, if it weren’t for James Forshaw, who described multiple ways of bypassing function PathIsUNC back in 2016. Tomer noticed that tricks described by James could be used to bypass Microsoft’s patch for CVE-2024-21320, and reported that to Microsoft so they could try again.Microsoft did fix their patch and assigned CVE-2024-38030 to the new issue. When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well. (We admit, we trusted Microsoft’s choice on using PathIsUNC, but will be more careful going forward.) While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.We were surprised Microsoft did not find this additional instance when fixing Tomer’s initially reported issue. Namely, in their blog post about “Additional Fixes” Microsoft described their process of finding “variations” of reported vulnerabilities:”The MSRC Engineering team reviews the affected component of each
externally reported vulnerability. One part of the review is the
“Hacking for Variations” (HfV) stage, which helps mitigate the threat of
variants being discovered after the update is released. The HfV process
is jointly undertaken by MSRC-Engineering and the product team. It
involves reviewing the source code and the bug database as well as
fuzzing the component and hurling it through our gauntlet of tools; many
of which are new or have been updated since the component was first
written.”Admittedly, said blog post was issued in 2011, and the only other Google hits on “Hacking for Variations” are also from 2011 or earlier. In any case, looking for bug variations seems like something every software vendor should be doing when learning about a security issue in their product. Be that as it may, we reported our 0day to Microsoft and will withhold details from public until they have re-fixed their patch. Meanwhile, 0patch users are already protected against this 0day with our micropatch.Here’s a video of this 0day, and of our micropatch fixing it. The video shows fully updated Windows 11 24H2 (on the left side), which includes Microsoft’s patches for CVE-2024-21320 and CVE-2024-38030. As you can see, just copying a malicious theme file to desktop results in a network connection with user’s NTLM credentials to attacker’s machine (on the right side). Subsequently, 0patch is enabled on Windows, and now copying the same theme file to desktop results in no network connections and no credentials leak because our patch has correctly detected a network path in the theme file, and blocked it.Micropatch AvailabilitySince
this is a “0day” vulnerability with no official vendor fix available,
we are providing our micropatches for free until such fix becomes
available. Micropatches were written both for our security-adopted legacy versions of Windows Workstation, and all still-supported Windows versions with all available Windows Updates installed:  Legacy Windows versions:Windows 11 v21H2 – fully updatedWindows 10 v21H2 – fully updatedWindows 10 v21H1 – fully updatedWindows 10 v20H2 – fully updatedWindows 10 v2004 – fully updatedWindows 10 v1909 – fully updatedWindows 10 v1809 – fully updatedWindows 10 v1803 – fully updatedWindows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3 Windows versions still receiving Windows Updates:Windows 11 v22H2 – fully updatedWindows 10 v23H2 – fully updatedWindows 10 v24H2 – fully updated   Note that patches were only created for Windows Workstation but not for Windows Server. This is because for Windows Themes to work on a server, the Desktop Experience feature needs to be installed (it’s not by default). In addition, for credentials leak to occur on a server it’s not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied. Actually applying a Windows theme from an untrusted source is, from the security perspective, not very different from launching an untrusted executable. Getting a user to view a theme file in Windows Explorer, on the other hand, may be a simple matter of forcing a download of the theme file while the user is on attacker’s web page, then waiting for the user to open the Downloads folder (depending on the view type of the Downloads folder).Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.We would like to thank Tomer Peled of Akamai for sharing details of CVE-2024-38030. This prompted us to take a deeper look at theme files, find this additional issue, and allowed us to create a micropatch to fix it for 0patch users.Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.
To learn more about 0patch, please visit our Help Center.
Article Link: 0patch Blog: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day)
1 post – 1 participant
Read full topic