Reports indicate that there have been three critical flaws including DDoS and Remote code execution discovered in the Microsoft Message Queuing Service (MMQS).
These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.
MMQS was developed by Microsoft for enabling separately hosted applications to communicate with each other in a restricted manner that does not affect the system.
MSMQ queues the messages that did not reach the destination and resend them when the destination systems become reachable.
However, Microsoft has released patches for these vulnerabilities.
This is an out-of-bounds that exists due to a lack of bounds checks as EodHeader, StreamIdSize, and OrderQueueSize are not validated potentially leading to a Denial-of-Service attack. The CVSS score for this vulnerability is given as 7.5 (High).
This is an out-of-bounds write vulnerability that exists due to the lack of bound checks in CQmPacket::CQmPacket which reads the message header without proper sanitization.
This could potentially lead to unauthenticated remote code execution. The CVSS score for this vulnerability is given as 9.8 (Critical).
This is an out-of-bounds write vulnerability that exists due to a lack of bounds when reading message headers that have not performed a sanity check on their data structure.
This could potentially lead to unauthenticated remote code execution. The CVSS Score for this vulnerability is given as 9.8 (Critical).
These flaws exist in port 1801, which is the standard TCP port used for MMQS. The incoming message packet consists of required headers and many optional headers.
MQQL.DLL is responsible for parsing these message packets. The message header parser can handle concurrent messages which allows fuzzing.
When researchers injected a custom unsigned DLL into services.exe, an error popped up as the Code Integrity Guard (CIG) blocked the loaded unsigned binary. Untrusted binaries cannot be loaded or executed when the User-Mode Integrity check (UMIC) is enforced.
As a workaround, the following steps were performed which were done with the help of the documentation provided by Microsoft.
After these steps, a custom DLL can be used to install a hook on the service host process which enables the monitoring of creation and termination of the target process.
In addition to this, a debugger must also be installed which will give complete control over the target process.
In order to capture the complete trace of the target process, the Windows Time-Travel-Debugger (TTD) is used. With a little research, researchers were able to craft a structure-aware fuzzer that can align the data in accordance with its format.
BaseHeader, UserHeader, and MessagePropertiesHeader are some of the main headers that must be used in an MSMQ packet. TransactionHeader, SecurityHeader, DebugHeader, SessionHeader are considered as additional headers that can exist along with the main headers.
However, one of the critical vulnerabilities existed due to one of the message headers that does not have proper sanitization on the message header parser.
The message header parser will check the message packets with the sequence of the headers. This triggers an out-of-bound write vulnerability in the MSMQ.
Fortinet has published a complete report on these vulnerabilities. Microsoft has also released security patches for these vulnerabilities. Users of these services are recommended to update the Microsoft patches for preventing these vulnerabilities from getting exploited.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
A critical set of 20 security vulnerabilities in GRUB2, the widely used bootloader for Linux…
Telecommunications provider Orange Communication faces a potential data breach after a threat actor using the pseudonym “Rey” claimed…
A series of critical security vulnerabilities in the widely-used Rsync file synchronization tool have been…
A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress…
A novel malware delivery framework employing advanced obfuscation techniques has evaded detection by security tools…
A sweeping cybersecurity alert has emerged as researchers identify 2,850+ unpatched Ivanti Connect Secure devices worldwide, leaving…