Blog entry by Les Bell

Les Bell
by Les Bell - Friday, September 15, 2023, 10:32 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Vuln Discovered in Windows 11 Desktop Themes Code

One of the vulnerabilities fixed a few days ago in this month's Microsoft Patchday was CVE-2023-38146, a remote code execution vuln in the code which handles theme files for the Windows desktop background. Microsoft learned of the vuln via a bug bounty submission from security researcher Gabe Kirkpatrick, and judged CVE-2023-38146 important, with a CVSS 3.x score of 8.8 (high). Kirkpatrick dubbed the vulnerability 'Themebleed'.

[VisualStyles]
Path=%SystemRoot%\resources\Themes\Aero\Aero.msstyles

Windows desktop theme files (.theme files) are actually .ini text files, with a number of stanzas. Among these is a [VisualStyles] stanza, as shown above, which can load .msstyles files - but these are not text files; rather, they are DLL files which contain resources such as icons for the theme, and generally do not, and should not, contain code.

The .msstyles files get loaded by a function called LoadThemeLibrary() which, among things, checks the version number of the theme - normally stored in a resource called PACKTHEM_VERSION. However, if this is 999, it then calls a ReviseVersionIfNecessary() function, which attempts to load and call a VerifyThemeVersion() function from a related DLL file which is supplied as part of theme. (Can you see where this is going? 😁)

Now, any programmer with at least some concern for security will want to ensure this DLL is not malicious, and so the ReviseVersionIfNecessary() function checks that the file has a valid signature. But the function has a flaw: it opens the file to check its signature and then closes it before loading it as a DLL in order to call VerifyThemeVersion().

Now, boys and girls - can you spell Time of Check / Time of Use vulnerability? I knew you could! 🙂

Kirkpatrick obviously could, too - and set about developing a proof of concept exploit, which delivers the attack over the LAN via the SMB protocol. The PoC also adds an extra step - in order to avoid a pop-up UAC warning caused by the Mark of the Web on the .themes file, it is packed into a .themepack file.

As mentioned, Microsoft released their fix for this particular exploit in this week's Windows update - however, the fix works by simply removing the check for a 999 value in the theme version resource, and the TOC/TOU vulnerability in  VerifyThemeVersion() still remains, so related exploits could emerge.

Kirkpatrick, Gabe, CVE-2023-38146: Arbitrary Code Execution via Windows Themes, blog post, 13 September 2023. Available online at https://exploits.forsale/themebleed/.

Microsoft Uncovers Vulnerabilities in Linux Terminal Handling Code

One of the common assumptions in the open source community is that the older software packages which are core to that ecosystem must have had all the bugs and vulnerabilities distilled out of them by constant review and usage over the years. We treat many of the older products of the BSD and GNU projects that way, for example - after all, they date back to a simpler time, and the biggest enemy of security is complexity, so these 'simple' programs can't be a problem, right?

Wrong, as it turns out. It's an invalid assumption for a number of reasons - not least that many of these programs are not at all simple, as demonstrated by the case of the ncurses package, the 'new' version of the even older curses library for dumb terminal cursor management on UNIX/Linux systems. Many programs use ncurses - almost any text-mode full-screen program such as your favourite editor, be it vi, nano or emacs, various system admin tools and even the top utility for monitoring processes.

With the growth of minicomputers from the 1960's onwards, a variety of manufacturers - Televideo is one example that comes easily to mind - flooded the market with increasingly sophisticated serial-interface terminals, each manufacturer using its own 'command language' of escape sequences and control characters for functionality like cursor positioning, erasing sections of lines, entire lines or blocks of the screen area and other functionaity for use by programs. Things got even more complicated with different models having different screen sizes, windowing or screen-switching capabilities, extended character sets and primitive, box-drawing graphics capabilities.

In order to map the functionalities required by programs, such as screen-clearing and cursor positioning, to the different possibilities and escape sequences, the curses library was developed. This could be customised through termcap databases, which define the capabilities of different terminals and the escape sequences and control characters that drive them. Eventually, curses was replaced by the Free Software Foundation's ncurses package, which is even more capable.

Both curses and ncurses are configured by environment variables, especially TERMINFO, which points to any non-default directory where a termcap database can be found. If TERMINFO is undefined, then ncurses will look in the user's home directory for a .terminfo directory - but the home directory itself is defined by an environment variable: HOME. This opens up the possibility of introducing malicious termcap files and using environment variable poisoning to get them loaded.

What's worse is that terminfo is far from simple; its capabilities include a primitive stack-oriented programming language, rather like that found in Hewlett-Packard scientific programmable calculators, not to mention FORTH and the Postscript page description language. This little language might not be Turing-complete, but to a hacker (whether good or bad) the availability of a scripting or programming language opens up all kinds of delicious possibilities. What's more, the word stack is positively ripe with possibilities, conjuring up visions of buffer overflows and stack smashing attacks.

And sure enough, when some security researchers at Microsoft turned their attention to ncurses, using code review and fuzzing, that's exactly what they found: a number of exploitable memory mis-management vulnerabilities. The details are moderately technical and too detailed to go into here; suffice to say that they are enough to demolish the idea that 'mature' code is low-risk. Consider the fact that the top command on macOS is a setUID executable (unlike on Linux) and you can see that a buffer overflow in ncurses could be a useful path to a privilege escalation exploit.

The Microsoft researchers obviously disclosed what they had found, and the current maintainer of ncurses, Thomas E. Dickey, worked up fixes back in April, making this particular set of vulns of historical interest only. But perhaps this will alert black hats to revisit some old code, working up some new exploits. And in the meantime, the Microsoft blog piece is a fascinating read.

Microsoft Threat Intelligence, Uncursing the ncurses: Memory corruption vulnerabilities found in library, blog post, 14 September 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/.


Upcoming Courses

  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: