Tuesday, October 15, 2024
HomeCyber Security NewsMicrosoft Message Queuing Service Flaw Allows DoS and RCE Attacks

Microsoft Message Queuing Service Flaw Allows DoS and RCE Attacks

Published on

Malware protection

Reports indicate that there have been three critical flaws including DDoS and Remote code execution discovered in the Microsoft Message Queuing Service (MMQS).

These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.

MMQS was developed by Microsoft for enabling separately hosted applications to communicate with each other in a restricted manner that does not affect the system.

- Advertisement - SIEM as a Service

MSMQ queues the messages that did not reach the destination and resend them when the destination systems become reachable.

However, Microsoft has released patches for these vulnerabilities.

CVE-2023-28302:

This is an out-of-bounds that exists due to a lack of bounds checks as EodHeader, StreamIdSize, and OrderQueueSize are not validated potentially leading to a Denial-of-Service attack. The CVSS score for this vulnerability is given as 7.5 (High).

CVE-2023-21554:

This is an out-of-bounds write vulnerability that exists due to the lack of bound checks in CQmPacket::CQmPacket which reads the message header without proper sanitization.

This could potentially lead to unauthenticated remote code execution. The CVSS score for this vulnerability is given as 9.8 (Critical).

CVE-2023-32057:

This is an out-of-bounds write vulnerability that exists due to a lack of bounds when reading message headers that have not performed a sanity check on their data structure.

This could potentially lead to unauthenticated remote code execution. The CVSS Score for this vulnerability is given as 9.8 (Critical).

Technical Analysis

These flaws exist in port 1801, which is the standard TCP port used for MMQS. The incoming message packet consists of required headers and many optional headers.

MQQL.DLL is responsible for parsing these message packets. The message header parser can handle concurrent messages which allows fuzzing.

When researchers injected a custom unsigned DLL into services.exe, an error popped up as the Code Integrity Guard (CIG) blocked the loaded unsigned binary. Untrusted binaries cannot be loaded or executed when the User-Mode Integrity check (UMIC) is enforced.

CIG blocks unsigned custom DLL (Source: Fortinet)

As a workaround, the following steps were performed which were done with the help of the documentation provided by Microsoft.

  1. Enable UMCI path exclusions.
  2. Enable UMCI audit mode.
  3. Before the exit of CI!CiInitializePolicy, CI!g_CiDeveloperMode|2 bitmask must be set.
  4. PsProtectedLight must be unset on the target process with the help of EPROCESS.Protection
  5. DisableDynamicCode and AuditDisableDynamicCode must be unset on the target process via EPROCESS.MitigationFlagsValues

After these steps, a custom DLL can be used to install a hook on the service host process which enables the monitoring of creation and termination of the target process.

In addition to this, a debugger must also be installed which will give complete control over the target process.

In order to capture the complete trace of the target process, the Windows Time-Travel-Debugger (TTD) is used. With a little research, researchers were able to craft a structure-aware fuzzer that can align the data in accordance with its format.

BaseHeader, UserHeader, and MessagePropertiesHeader are some of the main headers that must be used in an MSMQ packet. TransactionHeader, SecurityHeader, DebugHeader, SessionHeader are considered as additional headers that can exist along with the main headers.

The sequence of the Message packet headers (Source: Fortinet)

However, one of the critical vulnerabilities existed due to one of the message headers that does not have proper sanitization on the message header parser.

The message header parser will check the message packets with the sequence of the headers. This triggers an out-of-bound write vulnerability in the MSMQ.

Fortinet has published a complete report on these vulnerabilities. Microsoft has also released security patches for these vulnerabilities. Users of these services are recommended to update the Microsoft patches for preventing these vulnerabilities from getting exploited.

Protection Signatures

  • MS.Windows.MSMQ.CVE-2023-21554.Remote.Code.Execution
  • MS.Windows.Message.Queuing.Service.CVE-2023-28302.DoS
  • MS.Windows.Message.Queuing.Service.CVE-2023-21769.DoS
  • MS.Windows.MSMQ.CompoundMessage.Remote.Code.Execution

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...