CVE CyberSecurity Database News

CVE-2023-36574 - How Hackers Can Exploit Microsoft Message Queuing Remote Code Execution Vulnerability

Poster -

*Published June 2024*


Microsoft Message Queuing (MSMQ) has been around since the ‘90s, helping Windows apps send messages even when disconnected. But in October 2023, a critical vulnerability—CVE-2023-36574—shook up the scene. Why? Hackers could potentially run code on your server remotely just by sending a special message. This post will break down the bug in simple terms, show you how the exploit works (with code!), and give maintenance teams the tools they need to lock things down.

[References & Useful Links](#references)

1. What is Microsoft Message Queuing?

MSMQ is a Windows feature that lets applications communicate by sending messages to each other through queues. You’ll see it used in finance, logistics, and sometimes as a relic in hospitals or banks.

> Imagine MSMQ as a mailroom in your company. Apps drop letters in, and the letter gets sent to the right department—even if the recipient is offline.


2. What is CVE-2023-36574?

On 10/10/2023, Microsoft published this advisory:

> "A remote code execution vulnerability exists in Microsoft Message Queuing when an attacker sends a specially crafted malicious MSMQ packet to an MSMQ server."

Translated: If MSMQ is enabled and your computer is reachable on the network, an attacker can send you a bad message and make your system execute their code—no login needed!

Affected versions:

Windows 10, Windows Server 2016, Windows Server 2019, Windows 11, … and others still running MSMQ.

3. How Does the Exploit Work?

MSMQ listens by default on TCP port 1801. The issue is in how MSMQ parses certain fields in incoming messages. If a hacker crafts a message that hits a bug—an integer overflow or buffer overflow—they can trick the server into running code smuggled inside that message.

Sends a specially crafted packet to MSMQ.

- The buggy MSMQ service processes the message, overwriting memory, leading to code execution under the service's privilege.


4. Proof-of-Concept Code Example

Here’s a sample Python snipplet that shows how an attacker might start probing for MSMQ servers and send raw packets:

import socket

# Target MSMQ server IP and port
target_ip = '192.168.56.101'
msmq_port = 1801

# Example of a suspiciously long message payload (buffer overflow attempt)
malicious_packet = b'\x00' * 2048  # Too large, triggers buggy behavior

print(f"[+] Connecting to {target_ip}:{msmq_port}")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, msmq_port))
sock.sendall(malicious_packet)
print("[+] Malicious MSMQ packet sent!")
sock.close()

> Warning: This code is for educational purposes, only on test systems you own! Using it elsewhere is illegal.

What makes a real working exploit?
A real attack would construct a highly specific MSMQ packet containing shellcode designed for the victim’s configuration. Some exploits use tools like Impacket's msrpc utilities to send fine-tuned messages.


Microsoft has released patches. You MUST

- Install the latest Windows security updates.

- If you don’t use MSMQ, disable it

- Control Panel > Programs > Turn Windows features on or off > Uncheck 'Microsoft Message Queue (MSMQ) Server'.

Run Get-WindowsFeature MSMQ* in PowerShell.

Microsoft Advisory:

MSRC CVE-2023-36574

Security Research:

Horizon3.ai Vulnerability Writeup (Oct 2023)

Technical Analysis:

ZDI blog on MSMQ RCEs

Impacket Library - For Message Crafting:

GitHub: fortra/impacket

Key Takeaway

CVE-2023-36574 is serious: If your systems run MSMQ and are reachable on the network, patch now or risk full takeover. Attackers need only a network connection to run code as SYSTEM—potentially letting ransomware, backdoors, or worms in.

Patch frequently, disable unneeded features, and block old ports!

Stay safe!
*If this was helpful, share it with your sysadmin or blue team.*

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 15:19:55 UTC