Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

Attend webinar

Get Demo
Get Demo
April 20, 2023
,

Vulnerability Analysis: QueueJumper CVE-2023-21554

By: Randori Attack Team

Share on facebook
Share on twitter
Share on linkedin

What is QueueJumper (CVE-2023-21554)?

On April 11, 2023, Microsoft released a patch for an unauthenticated remote code execution (RCE) vulnerability in the Message Queuing (MSMQ) service, an optional Windows component. The vulnerability was assigned CVE-2023-21554. The issue was nicknamed QueueJumper by Check Point Research, one of the credited discoverers. MSMQ can be installed on a wide range of Windows operating systems, including server and desktop variants.

At the time of this writing, no public information was released that provides specific details about the flaw.

Key takeaways

  • The vulnerability appears to be exploitable remotely without authentication.
  • Randori successfully triggered the vulnerability in a lab environment.
  • No public proof of concept code is published at this time.
  • The vulnerable component is not present by default, but is commonly installed on Windows servers.

Analysis

MSMQ is not present on default installations of Windows, but is often installed on servers to enable asynchronous communication between applications. It can be installed a multitude of ways, including:

  • Automatically as a component in a larger application (Microsoft or otherwise)
  • Optionally as a non-required component of a larger application (Microsoft or otherwise)
  • Explicitly through the Control Panel
  • Manually through PowerShell CLI commands

After MSMQ is installed, a Windows Service is created that is set to automatically start the mqsvc.exe process with the privileges of the Network Service account.

General tab of Windows Service for Message Queuing service

Upon launch, this process was observed to bind to several TCP ports:

  • 1801
  • 2103
  • 2105
  • 2107
  • 50111

Depending on the sub-components that may be installed, other ports may be in use.

The flaws related to CVE-2023-21554 are reachable through port 1801, which communicates by using the Message Queuing Binary Protocol, which Microsoft refers to as MQQB.

During the parsing of various message types, assumptions in the code can be violated that will cause unexpected memory corruption issues. We are not discussing detailed information about the flaws in an effort to avoid enabling malicious attackers.

While we have not proven exploitation at this time, triggering the flaw is trivial and the implementation of the code indicates exploitation is possible given enough effort.

Detecting the presence of MSMQ

When connecting to the MSMQ on port 1801, no data is received. The service must be interrogated by using the MQQB protocol to elicit a response. The first example code that we noticed surface was published on GitHub on April 6. It involves sending a small, non-malicious message and looking for a magic value indicative of MSMQ in the reply.

Randori customers can use the platform to identify MSMQ in their environments by navigating to Targets > Configure View and choosing the “Service Name CONTAINS Message Queuing” filter to review any results.

Configure View dialog within Randori for MSMQ target Attacker's Perspective view within Randori for the MSMQ target with high attackability temptation rating

Applications that use MSMQ

Since MSMQ is used for communication between applications, it is often leveraged by both Microsoft and third-party products.

As Check Point Research mentioned on their blog post, the Microsoft Exchange installer presents an option to automatically include required features that deploy MSMQ. A brief search turns up a number of other vendors that mention MSMQ as a prerequisite, including but not limited to:

  • Citrix
  • ManageEngine
  • SAP
  • SolarWinds
  • Sophos
  • Trend Micro
  • Veritas

Indicators of attack and compromise

There are a number of artifacts that can be observed when interacting with MSMQ.

When probing for the presence of the service, the following artifacts were observed on the target system.

Message Queuing artifacts listed in local file directory

Additionally, MSMQ maintains a storage directory (commonly at C:\windows\system32\MSMQ\storage) that can contain artifacts including messages, log files, and metadata.

There are specific artifacts that are only created when the vulnerable code is triggered and a fault occurs. In a lab environment with no other dependent services installed, when the MSMQ crashes it will only start back up one time, as demonstrated in the following property pane screen capture.

Recovery tab of Windows Service for Message Queuing service

In production environments where MSMQ is part of a larger application stack, this might not be the case. It is possible that MSMQ is depended upon by other services that can detect the down state and relaunch. Each of these scenarios can leave indicators of attack or possible compromise.

When a malformed packet is sent to the MSMQ service, the process can crash and create a Windows Event 7034 from the Service Control Manager source with details that include: “The Message Queuing service terminated unexpectedly”.

Windows Event 7034

Additionally, when attempting to trigger the issue on patched systems, a Windows Event 2027 was observed in the Event Viewer from the MSMQ source with details that include: “A corrupted packet was encountered”.

Windows Event 2027

Timeline

4/11/2023: Microsoft released update to patch CVE-2023-21554.
4/11/2023: Check Point Research published a blog post about QueueJumper.

Sources

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.
Get Demo

Resources

Use Cases

COMPANY

RANDORI PLATFORM

Twitter Linkedin