CVE CyberSecurity Database News

CVE-2023-36572 - Exploiting Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Explained

Poster -

---

When it comes to Windows security, vulnerabilities like CVE-2023-36572 can shake up organizations worldwide. This post dives deep into how the Microsoft Message Queuing (MSMQ) Remote Code Execution (RCE) flaw works, why it’s serious, and what an attack might look like—with code and real-world context.

What is CVE-2023-36572?

CVE-2023-36572 is a critical vulnerability affecting Microsoft Message Queuing (MSMQ), a built-in Windows service for enabling applications to communicate asynchronously. MSMQ helps applications pass messages even if they’re running at different times or locations.

A flaw in how MSMQ handles specially crafted packets lets attackers run their own code remotely on a vulnerable computer, potentially gaining full control. That means if you’re using Windows with MSMQ enabled (like many enterprise apps and servers do), this is a must-fix issue.

- Affected versions: Windows 10, 11, Server 2016/2019/2022 (when MSMQ is enabled)

CVSS Score: 9.8 (Critical)

- Official advisory: Microsoft Security Update Guide: CVE-2023-36572

How Does the Vulnerability Work?

MSMQ listens on TCP port 1801 for incoming connections. If an attacker sends a malicious packet to this port on a vulnerable system, they can exploit improper memory handling and effectively execute arbitrary code with the same privileges as the MSMQ service.

The Attack Flow

1. Attacker crafts a malformed message that triggers a buffer overflow or use-after-free in MSMQ's code.

Victim machine receives the message on TCP port 1801.

3. Arbitrary code runs: The attacker's payload is executed, possibly installing malware, opening backdoors, etc.

Key requirement: MSMQ must be enabled and externally accessible.

Who’s at Risk?

Most desktop Windows installs don’t have MSMQ enabled by default, but many business environments use it for messaging and queuing between apps or services.

- Any server or workstation with “Message Queuing” enabled is at risk if the service is exposed to untrusted networks (like the internet or untrusted LANs).
- You can check if MSMQ is running by looking for the service "Message Queuing" or checking if port 1801 is listening.

PowerShell

Get-WindowsFeature -Name MSMQ

If the output is “Installed”, your system uses MSMQ.

Command Prompt

netstat -an | find "1801"

If you see lines like TCP ...:1801 ... LISTENING, MSMQ is enabled and listening.

Exploit Example (for Educational Purposes Only)

_Security researchers_ have shown proof of concept (PoC) code for this bug, based on overlong or malformed packets sent directly to the MSMQ port.

Here’s a Python snippet showing how a (non-destructive) connection probe might look

import socket

host = 'target_ip_here'
port = 1801

# Basic TCP connection to MSMQ port
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))

# Construct a simple malformed MSMQ packet (not an actual exploit)
malformed_packet = b'\x00' * 600  # Oversized payload
sock.send(malformed_packet)

# Receive response (if any)
try:
    data = sock.recv(1024)
    print(data.hex())
except:
    print('No response or connection closed.')
sock.close()

A real exploit would use a very specific packet structure to abuse the vulnerability, but this demonstrates the principle: a malicious user can reach out and crash or compromise MSMQ remotely over the network.

How to Defend Yourself

1. Patch Immediately
Microsoft has released security updates. Install all November 2023 (and later) patches from Microsoft.

2. Disable MSMQ if Not Needed
Most environments do NOT require MSMQ enabled on every server or desktop.

Uninstall-WindowsFeature MSMQ

3. Block Port 1801
In firewalls and network devices, block TCP port 1801 from unwanted sources.

4. Monitor for Suspicious Connections
Watch your logs for unusual inbound connections on 1801.

Further Reading

- Official Microsoft Advisory for CVE-2023-36572
- NIST NVD CVE-2023-36572 entry
- Proof of Concept code on GitHub
- Detailed MSMQ Service Documentation

Conclusion

CVE-2023-36572 is a classic “network touch, you lose” bug. If you’re running Windows servers with MSMQ, treat this as a fire drill: patch, disable what you don’t use, and block risky ports. Modern attackers scan for vulnerabilities like this within hours after public disclosure, so don’t delay!

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 15:09:29 UTC