To do so, an attacker would have to either: Bypass any security restrictions on the system (such as User Access Control (UAC) settings) by leveraging another vulnerability.

Bypass System Integrity Protection (SIP) through a combination of techniques including SYSTEM privileges, hooking the CreateRemoteThread call, or tricking the user into running code by using social engineering. On Windows systems, Trend Micro products with SysMon enabled are able to detect and analyze system calls that have been tampered with, thus protecting the system from such attacks. If you use SysMon on Windows systems, you are protected from this vulnerability. If you do not use SysMon, there are two recommended mitigations: Create a local user account that has the least privileges possible and does not have administrative rights.

Disable SIP on your system. Note: We do not provide any specific mitigation or prevention advice for this vulnerability, but encourage users to follow the best practices for securing their systems.

Vulnerability details

CVE-2022-41749 is a remote code execution vulnerability that affects Message Queuing Service (MSMQ) on Windows systems. MSGQ is the service responsible for sending and receiving messages to the .NET Framework and WindowsCOM applications.

If an attacker sends a specially crafted message to the MSMQ service, it could cause a memory corruption error which would give them the ability to execute arbitrary code.

Vulnerability details

For more information about this vulnerability, please check the following links:

CVE-2022-41749 - Wikipedia article
https://technet.microsoft.com/en-us/library/security/ms16-037.aspx#VulnerabilityDetails
Trend Micro Vulnerability Details - (Windows)
https://www.trendmicro.com/vinfo/us/security/vulnerabilities?vendor=MS&product=Windows%20Operating%20Systems&catid=5

Indicators of Compromise (IOCs)

The following are IOCs associated with this vulnerability:

a. For Windows systems, the following registry key exists:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "EnableLUA" = 0
b. A malicious file named "OemUpdater.exe" located at %system% (for Windows systems only) is created by the attacker and can be used to install malware on the system and disable System Integrity Protection.

Vulnerability Details

A vulnerability has been identified in Windows that an attacker could use to run arbitrary code on a vulnerable system. This advisory has been updated with additional information and mitigation techniques.

A vulnerability has been identified in Windows that an attacker could use to run arbitrary code on a vulnerable system. This advisory has been updated with additional information and mitigation techniques.

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/11/2022 18:55:00 UTC

References