Saturday, June 15, 2024

Microsoft Message Queuing Service Flaw Allows DoS and RCE Attacks

Reports indicate that there have been three critical flaws including DDoS and Remote code execution discovered in the Microsoft Message Queuing Service (MMQS).

These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.

MMQS was developed by Microsoft for enabling separately hosted applications to communicate with each other in a restricted manner that does not affect the system.

MSMQ queues the messages that did not reach the destination and resend them when the destination systems become reachable.

However, Microsoft has released patches for these vulnerabilities.

CVE-2023-28302:

This is an out-of-bounds that exists due to a lack of bounds checks as EodHeader, StreamIdSize, and OrderQueueSize are not validated potentially leading to a Denial-of-Service attack. The CVSS score for this vulnerability is given as 7.5 (High).

CVE-2023-21554:

This is an out-of-bounds write vulnerability that exists due to the lack of bound checks in CQmPacket::CQmPacket which reads the message header without proper sanitization.

This could potentially lead to unauthenticated remote code execution. The CVSS score for this vulnerability is given as 9.8 (Critical).

CVE-2023-32057:

This is an out-of-bounds write vulnerability that exists due to a lack of bounds when reading message headers that have not performed a sanity check on their data structure.

This could potentially lead to unauthenticated remote code execution. The CVSS Score for this vulnerability is given as 9.8 (Critical).

Technical Analysis

These flaws exist in port 1801, which is the standard TCP port used for MMQS. The incoming message packet consists of required headers and many optional headers.

MQQL.DLL is responsible for parsing these message packets. The message header parser can handle concurrent messages which allows fuzzing.

When researchers injected a custom unsigned DLL into services.exe, an error popped up as the Code Integrity Guard (CIG) blocked the loaded unsigned binary. Untrusted binaries cannot be loaded or executed when the User-Mode Integrity check (UMIC) is enforced.

CIG blocks unsigned custom DLL (Source: Fortinet)

As a workaround, the following steps were performed which were done with the help of the documentation provided by Microsoft.

  1. Enable UMCI path exclusions.
  2. Enable UMCI audit mode.
  3. Before the exit of CI!CiInitializePolicy, CI!g_CiDeveloperMode|2 bitmask must be set.
  4. PsProtectedLight must be unset on the target process with the help of EPROCESS.Protection
  5. DisableDynamicCode and AuditDisableDynamicCode must be unset on the target process via EPROCESS.MitigationFlagsValues

After these steps, a custom DLL can be used to install a hook on the service host process which enables the monitoring of creation and termination of the target process.

In addition to this, a debugger must also be installed which will give complete control over the target process.

In order to capture the complete trace of the target process, the Windows Time-Travel-Debugger (TTD) is used. With a little research, researchers were able to craft a structure-aware fuzzer that can align the data in accordance with its format.

BaseHeader, UserHeader, and MessagePropertiesHeader are some of the main headers that must be used in an MSMQ packet. TransactionHeader, SecurityHeader, DebugHeader, SessionHeader are considered as additional headers that can exist along with the main headers.

The sequence of the Message packet headers (Source: Fortinet)

However, one of the critical vulnerabilities existed due to one of the message headers that does not have proper sanitization on the message header parser.

The message header parser will check the message packets with the sequence of the headers. This triggers an out-of-bound write vulnerability in the MSMQ.

Fortinet has published a complete report on these vulnerabilities. Microsoft has also released security patches for these vulnerabilities. Users of these services are recommended to update the Microsoft patches for preventing these vulnerabilities from getting exploited.

Protection Signatures

  • MS.Windows.MSMQ.CVE-2023-21554.Remote.Code.Execution
  • MS.Windows.Message.Queuing.Service.CVE-2023-28302.DoS
  • MS.Windows.Message.Queuing.Service.CVE-2023-21769.DoS
  • MS.Windows.MSMQ.CompoundMessage.Remote.Code.Execution

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles