Thursday, February 22, 2024

Microsoft Message Queuing Service Flaw Allows DoS and RCE Attacks

Reports indicate that there have been three critical flaws including DDoS and Remote code execution discovered in the Microsoft Message Queuing Service (MMQS).

These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.

MMQS was developed by Microsoft for enabling separately hosted applications to communicate with each other in a restricted manner that does not affect the system.

MSMQ queues the messages that did not reach the destination and resend them when the destination systems become reachable.

However, Microsoft has released patches for these vulnerabilities.


This is an out-of-bounds that exists due to a lack of bounds checks as EodHeader, StreamIdSize, and OrderQueueSize are not validated potentially leading to a Denial-of-Service attack. The CVSS score for this vulnerability is given as 7.5 (High).


This is an out-of-bounds write vulnerability that exists due to the lack of bound checks in CQmPacket::CQmPacket which reads the message header without proper sanitization.

This could potentially lead to unauthenticated remote code execution. The CVSS score for this vulnerability is given as 9.8 (Critical).


This is an out-of-bounds write vulnerability that exists due to a lack of bounds when reading message headers that have not performed a sanity check on their data structure.

This could potentially lead to unauthenticated remote code execution. The CVSS Score for this vulnerability is given as 9.8 (Critical).

Technical Analysis

These flaws exist in port 1801, which is the standard TCP port used for MMQS. The incoming message packet consists of required headers and many optional headers.

MQQL.DLL is responsible for parsing these message packets. The message header parser can handle concurrent messages which allows fuzzing.

When researchers injected a custom unsigned DLL into services.exe, an error popped up as the Code Integrity Guard (CIG) blocked the loaded unsigned binary. Untrusted binaries cannot be loaded or executed when the User-Mode Integrity check (UMIC) is enforced.

CIG blocks unsigned custom DLL (Source: Fortinet)

As a workaround, the following steps were performed which were done with the help of the documentation provided by Microsoft.

  1. Enable UMCI path exclusions.
  2. Enable UMCI audit mode.
  3. Before the exit of CI!CiInitializePolicy, CI!g_CiDeveloperMode|2 bitmask must be set.
  4. PsProtectedLight must be unset on the target process with the help of EPROCESS.Protection
  5. DisableDynamicCode and AuditDisableDynamicCode must be unset on the target process via EPROCESS.MitigationFlagsValues

After these steps, a custom DLL can be used to install a hook on the service host process which enables the monitoring of creation and termination of the target process.

In addition to this, a debugger must also be installed which will give complete control over the target process.

In order to capture the complete trace of the target process, the Windows Time-Travel-Debugger (TTD) is used. With a little research, researchers were able to craft a structure-aware fuzzer that can align the data in accordance with its format.

BaseHeader, UserHeader, and MessagePropertiesHeader are some of the main headers that must be used in an MSMQ packet. TransactionHeader, SecurityHeader, DebugHeader, SessionHeader are considered as additional headers that can exist along with the main headers.

The sequence of the Message packet headers (Source: Fortinet)

However, one of the critical vulnerabilities existed due to one of the message headers that does not have proper sanitization on the message header parser.

The message header parser will check the message packets with the sequence of the headers. This triggers an out-of-bound write vulnerability in the MSMQ.

Fortinet has published a complete report on these vulnerabilities. Microsoft has also released security patches for these vulnerabilities. Users of these services are recommended to update the Microsoft patches for preventing these vulnerabilities from getting exploited.

Protection Signatures

  • MS.Windows.MSMQ.CVE-2023-21554.Remote.Code.Execution
  • MS.Windows.Message.Queuing.Service.CVE-2023-28302.DoS
  • MS.Windows.Message.Queuing.Service.CVE-2023-21769.DoS
  • MS.Windows.MSMQ.CompoundMessage.Remote.Code.Execution

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.


Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles