PoC Exploit Released for Critical Microsoft Message Queuing RCE (CVE-2023-21554) Bug

Microsoft’s venerated Message Queuing service—MSMQ, an integral part of its Windows operating system, has been found to harbor a severe security vulnerability. Identified as CVE-2023-21554 and ranked with a high CVSS score of 9.8, this menace poses a critical threat to unbridled cyber-attacks, enabling hackers to execute arbitrary code remotely, and without any form of authentication.

This discovery was made by the vigilant team at Check Point Research, who responsibly disclosed the flaw to Microsoft. It was duly patched in the April Patch Tuesday update. However, the risk was far from eradicated.

MSMQ is a critical component of the Windows infrastructure—a message and development platform designed for creating loosely-coupled, distributed messaging applications. It ensures guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging. Its versatile capabilities allow applications to communicate across varied networks and even with offline computers. But, lurking beneath this veneer of utility was a sleeping dragon.

The vulnerability permitted an attacker to exploit the system through the TCP port 1801, potentially gaining control over the entire process by simply sending one malicious packet to this port, thereby triggering the vulnerability. This nefarious ability to remotely execute code without needing any form of authorization essentially threw open the floodgates to potential cyber-attacks.

To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side,” Microsoft wrote.

Providing an insightful technical analysis, researcher Zoemurmure developed a Proof-of-Concept (PoC) for exploiting the CVE-2023-21554 flaw. This PoC, once adjusted to the target machine’s IP address, could execute a process that caused the mqsvc.exe service process to collapse. However, the exploit’s insidious nature means there would be no evident dialogue information. One could only detect this anomaly via a process monitor, underlining the stealth with which this vulnerability operates.

A proof-of-concept (PoC) exploit code has been made available for the CVE-2023-21554 vulnerability, making it imperative that users move quickly to apply the patches.