Reports indicate that there have been three critical flaws including DDoS and Remote code execution discovered in the Microsoft Message Queuing Service (MMQS).
These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.
MMQS was developed by Microsoft for enabling separately hosted applications to communicate with each other in a restricted manner that does not affect the system.
MSMQ queues the messages that did not reach the destination and resend them when the destination systems become reachable.
However, Microsoft has released patches for these vulnerabilities.
This is an out-of-bounds that exists due to a lack of bounds checks as EodHeader, StreamIdSize, and OrderQueueSize are not validated potentially leading to a Denial-of-Service attack. The CVSS score for this vulnerability is given as 7.5 (High).
This is an out-of-bounds write vulnerability that exists due to the lack of bound checks in CQmPacket::CQmPacket which reads the message header without proper sanitization.
This could potentially lead to unauthenticated remote code execution. The CVSS score for this vulnerability is given as 9.8 (Critical).
This is an out-of-bounds write vulnerability that exists due to a lack of bounds when reading message headers that have not performed a sanity check on their data structure.
This could potentially lead to unauthenticated remote code execution. The CVSS Score for this vulnerability is given as 9.8 (Critical).
These flaws exist in port 1801, which is the standard TCP port used for MMQS. The incoming message packet consists of required headers and many optional headers.
MQQL.DLL is responsible for parsing these message packets. The message header parser can handle concurrent messages which allows fuzzing.
When researchers injected a custom unsigned DLL into services.exe, an error popped up as the Code Integrity Guard (CIG) blocked the loaded unsigned binary. Untrusted binaries cannot be loaded or executed when the User-Mode Integrity check (UMIC) is enforced.
As a workaround, the following steps were performed which were done with the help of the documentation provided by Microsoft.
- Enable UMCI path exclusions.
- Enable UMCI audit mode.
- Before the exit of CI!CiInitializePolicy, CI!g_CiDeveloperMode|2 bitmask must be set.
- PsProtectedLight must be unset on the target process with the help of EPROCESS.Protection
- DisableDynamicCode and AuditDisableDynamicCode must be unset on the target process via EPROCESS.MitigationFlagsValues
After these steps, a custom DLL can be used to install a hook on the service host process which enables the monitoring of creation and termination of the target process.
In addition to this, a debugger must also be installed which will give complete control over the target process.
In order to capture the complete trace of the target process, the Windows Time-Travel-Debugger (TTD) is used. With a little research, researchers were able to craft a structure-aware fuzzer that can align the data in accordance with its format.
BaseHeader, UserHeader, and MessagePropertiesHeader are some of the main headers that must be used in an MSMQ packet. TransactionHeader, SecurityHeader, DebugHeader, SessionHeader are considered as additional headers that can exist along with the main headers.
However, one of the critical vulnerabilities existed due to one of the message headers that does not have proper sanitization on the message header parser.
The message header parser will check the message packets with the sequence of the headers. This triggers an out-of-bound write vulnerability in the MSMQ.
Fortinet has published a complete report on these vulnerabilities. Microsoft has also released security patches for these vulnerabilities. Users of these services are recommended to update the Microsoft patches for preventing these vulnerabilities from getting exploited.