What is QueueJumper (CVE-2023-21554)?
On April 11, 2023, Microsoft released a patch for an unauthenticated remote code execution (RCE) vulnerability in the Message Queuing (MSMQ) service, an optional Windows component. The vulnerability was assigned CVE-2023-21554. The issue was nicknamed QueueJumper by Check Point Research, one of the credited discoverers. MSMQ can be installed on a wide range of Windows operating systems, including server and desktop variants.
At the time of this writing, no public information was released that provides specific details about the flaw.
Key takeaways
- The vulnerability appears to be exploitable remotely without authentication.
- Randori successfully triggered the vulnerability in a lab environment.
- No public proof of concept code is published at this time.
- The vulnerable component is not present by default, but is commonly installed on Windows servers.
Analysis
MSMQ is not present on default installations of Windows, but is often installed on servers to enable asynchronous communication between applications. It can be installed a multitude of ways, including:
- Automatically as a component in a larger application (Microsoft or otherwise)
- Optionally as a non-required component of a larger application (Microsoft or otherwise)
- Explicitly through the Control Panel
- Manually through PowerShell CLI commands
After MSMQ is installed, a Windows Service is created that is set to automatically start the mqsvc.exe process with the privileges of the Network Service account.
Upon launch, this process was observed to bind to several TCP ports:
- 1801
- 2103
- 2105
- 2107
- 50111
Depending on the sub-components that may be installed, other ports may be in use.
The flaws related to CVE-2023-21554 are reachable through port 1801, which communicates by using the Message Queuing Binary Protocol, which Microsoft refers to as MQQB.
During the parsing of various message types, assumptions in the code can be violated that will cause unexpected memory corruption issues. We are not discussing detailed information about the flaws in an effort to avoid enabling malicious attackers.
While we have not proven exploitation at this time, triggering the flaw is trivial and the implementation of the code indicates exploitation is possible given enough effort.
Detecting the presence of MSMQ
When connecting to the MSMQ on port 1801, no data is received. The service must be interrogated by using the MQQB protocol to elicit a response. The first example code that we noticed surface was published on GitHub on April 6. It involves sending a small, non-malicious message and looking for a magic value indicative of MSMQ in the reply.
Randori customers can use the platform to identify MSMQ in their environments by navigating to Targets > Configure View and choosing the “Service Name CONTAINS Message Queuing” filter to review any results.
Applications that use MSMQ
Since MSMQ is used for communication between applications, it is often leveraged by both Microsoft and third-party products.
As Check Point Research mentioned on their blog post, the Microsoft Exchange installer presents an option to automatically include required features that deploy MSMQ. A brief search turns up a number of other vendors that mention MSMQ as a prerequisite, including but not limited to:
- Citrix
- ManageEngine
- SAP
- SolarWinds
- Sophos
- Trend Micro
- Veritas
Indicators of attack and compromise
There are a number of artifacts that can be observed when interacting with MSMQ.
When probing for the presence of the service, the following artifacts were observed on the target system.
Additionally, MSMQ maintains a storage directory (commonly at C:\windows\system32\MSMQ\storage) that can contain artifacts including messages, log files, and metadata.
There are specific artifacts that are only created when the vulnerable code is triggered and a fault occurs. In a lab environment with no other dependent services installed, when the MSMQ crashes it will only start back up one time, as demonstrated in the following property pane screen capture.
In production environments where MSMQ is part of a larger application stack, this might not be the case. It is possible that MSMQ is depended upon by other services that can detect the down state and relaunch. Each of these scenarios can leave indicators of attack or possible compromise.
When a malformed packet is sent to the MSMQ service, the process can crash and create a Windows Event 7034 from the Service Control Manager source with details that include: “The Message Queuing service terminated unexpectedly”.
Additionally, when attempting to trigger the issue on patched systems, a Windows Event 2027 was observed in the Event Viewer from the MSMQ source with details that include: “A corrupted packet was encountered”.
Timeline
4/11/2023: Microsoft released update to patch CVE-2023-21554.
4/11/2023: Check Point Research published a blog post about QueueJumper.
Sources
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
- https://exchange.xforce.ibmcloud.com/vulnerabilities/251594
- https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725576(v=ws.10)
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af
- https://gist.github.com/tothi/e9ad022453b713681faa684af9005bef
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms704178(v=vs.85)