CVE CyberSecurity Database News

CVE-2023-36591 - Microsoft Message Queuing Remote Code Execution Vulnerability Explained

Poster -

---

What is CVE-2023-36591?

In October 2023, Microsoft patched a dangerous flaw known as CVE-2023-36591, impacting Microsoft Message Queuing (MSMQ). This bug lets attackers run code remotely on a vulnerable system — essentially letting them "hack in" without needing to log in or trick a user into clicking anything.

MSMQ is widely used for sending messages between applications across networks in Microsoft environments. Because MSMQ often runs with high privileges and is enabled by default on some servers, this vulnerability is pretty serious, especially in enterprise environments.

If you run Windows servers or services using MSMQ, this is one to take seriously.

How Does The Attack Work?

At its core, the vulnerability is a buffer overflow. MSMQ listens on TCP port 1801 by default. If an attacker can send a specially crafted network packet to this port, MSMQ processes the data incorrectly and overwrites its memory. This could allow the attacker to:

Potentially move laterally in your network

Attackers do NOT need valid credentials. The only requirement is that MSMQ is running and accessible on the network.

To check if MSMQ is running, open PowerShell and run

Get-Service | Where-Object { $_.DisplayName -like "*Message Queuing*" }

If you see "Message Queuing" listed and its status is Running, you are possibly vulnerable.

To check if port 1801 is open, run this in PowerShell

Test-NetConnection -ComputerName localhost -Port 1801

Technical Flow

The published details (Microsoft’s advisory) don't give away all the technicalities, but security researchers from ZDI’s blog and Morfius’s write-up explain more.

Proof-of-Concept (Simplified)

Below is a simple Python snippet sending odd data to port 1801. This is for education only! Do not use on networks you don’t own.

import socket

target_ip = "192.168.1.100" # Replace this with your target

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, 1801))

# Packet crafted to trigger the bug (dummy data for illustration)
payload = b"\x11" * 1024  # Too much data causes a heap overflow

s.send(payload)
s.close()

A real exploit would be more complex, but this kind of code can crash MSMQ. Attackers with skill can expand this to full code execution.

How To Protect Yourself

1. Patch — Microsoft fixed this in October 2023 (see patch details here). Deploy Windows updates now.

2. Restrict MSMQ Port 1801 — Use firewalls to block access to port 1801 from untrusted networks. Most users don’t need MSMQ exposed to the internet.

`

4. Monitor your network — Watch for unusual traffic to TCP 1801, especially from unknown sources. SIEM or log files may help detect scanning or attack attempts.

References & Further Reading

- Microsoft official advisory for CVE-2023-36591
- Zero Day Initiative’s deep dive
- Morfius PoC on GitHub
- Microsoft Message Queuing (MSMQ) documentation

Summary

CVE-2023-36591 is a critical bug in Microsoft Message Queuing that could allow attackers to take over Windows machines remotely, without credentials. Fixing it is as simple as patching your systems and locking down port 1801. MSMQ vulnerabilities like this remind us: unneeded services should be shut off, and security updates should never be delayed!

Stay safe, keep your systems patched, and always review old network services!

Timeline

Published on: 10/10/2023 18:15:14 UTC
Last modified on: 10/13/2023 19:00:28 UTC