Microsoft Message Queuing: Exploitable Vulnerabilities Enabling Remote Code Execution and DOS Attacks

FortiGuard, has discovered a Message Queuing exploitable vulnerabilities that allows RCE (Remote Code Execution) and DOS (Denial of Service), in Microsoft windows.

The security flaws that were discovered by FortiGuard in the Microsoft Message Queuing (MSMQ) service, was among the vulnerabilities the technology company (Microsoft), has patched earlier this year (April), and later this year (July) 2023 in the various cumulative updates released.  

fig2-msmq-custom-unsigned-dll-in-protected-service-process.png
  A loaded Custom Unsigned DLL in the protected Service Process.  Image-Source: FortiGuard.                                        

Microsoft released various patch, as the attack was considered critical which affected the windows operating system; with Microsoft message Queuing service installed.  The impact has two of the major vulnerabilities: Remote Code Execution (RCE) & Denial-Of-Service (DOS).  

Delving into the Attack Surface of MSMQ:

Before we delving into the attack surface, it is a necessity that we understand what MSMQ (MicroSoft Message Queuing) service is all About. 

MSMQ is an acronym for “Microsoft Message Queuing.” It is a messaging protocol developed and owned by Microsoft that allows applications running on different endpoint devices (Computers) to communicate with each other by sending messages to queues.

The messages are usually data, commands, or reports. These are usually stored in a queue, in the event that it fails to reach its destination, until they are retrieved and processed by the receiving applications.

 MSMQ provides reliable message delivery and supports both local and remote communication between applications in a distributed environment. It is commonly used in enterprise systems and for inter-process communication in Windows-based applications.

It is hosted as a standalone executable in the Window service as MQSVC.EXE, and its operation is deployed in both kernel-mode (MQAC.SYS) and user-mode (MQQM.DLL) components.  

FortiGuard explained in a table, information about the port and details that described the various protocol operation as shown in the image below:

tab1-msmq-open-tcp-ports-and-rpc-ports.png
The table describes the Microsoft Message Queue Service of a list of TCP (Transmission Control Protocol) & RPC (Remote Procedure Call), research of the vulnerabilities done by FortiGuard.                                                                                                                          

According to the research done by FortiGuard; which shows the open port that was used by the service, describes how most of the attacks surface are based on remote attack by threat actors.  

FortiGuard Stated:

“In other words, any security vulnerability discovered rom these identified attack surface could have a severe security impact, from remote Denial of Service (DOS), to remote code Execution.” 

Three issues were uncovered by the research team of the cybersecurity company. These issues were said to be associated with port 1801, which were caused by the message header parser procedures that was implemented in the MQQM.DLL.

They further stated:

However, our attempts to identify security issues through the RPC (Remote Procedure Call) interface have yet to yield results.”  

From the findings of their research, it was discovered that fuzzing the message header parser, was direct (Straightforward), which is as a result of the message header parser operating in multiple threads, therefore handling concurrent messages independently.

Also, when malicious packets are sent, there are no global state that will affect the fuzz results.

More opinions from FortiGuard:

“However, the challenge is that the target is running on a remote service process, and we need to monitor the target service process when it crashes. When the crash happens, a manual process restart is required as the windows automatic service restart is not persistent. This is necessary to ensure a persistent fuzzing operation that can run continuously.” 

Summary of the Discovered Vulnerabilities:

The Denial of Service which is said to be achieved when the out-of-bound read accesses an invalid address. FortiGuard released an IPS signature MS.Windows.Message.Queuing.Service.CVE-2023-28302.Dos in other to detect the issue.

The remote code execution, is as a result of some of the message headers not being validated. The pointer is said to be able to be adjusted to point into an arbitrary location, which maybe an invalid address, and result into memory corruption, whenever the pointer of the message header is dereferenced in the later part of the code. FortiGuard released the IPS signature MS.Windows.MSMQ.CVE-2023-21554.Remote. Code.Execution in other to detect this issue.

Fortinet also stated that their customers who use FortiDAST, are able to detect the vulnerabilities in their assets; and the protection signatures that were previously released for the vulnerabilities, are able to protect their customers. Users of FixitgearwareSecurity, can read more about the vulnerability and other relevant information from Fortinet-blog.

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments