Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Executive Summary

This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic [1]. By default, the Message Queuing component is not installed and only Windows XP is affected. Since Microsoft stopped releasing security patches for Windows XP [2] and an exploit module is available in Metasploit [3], We have decided to release a Hotfix for this vulnerability to protect Windows XP users. The patch has been successfully tested on Windows XP SP3 and doesn't contain any malicious content.

UPDATE: The original version of the patch is not compatible with the /3GB boot parameter. The current version is compatible with the /3GB boot parameter. We would like to thanks to Mr. Patrik Horník from technology news site for reminding.

Microsoft doesn't plan to patch this vulnerability (from KoreLogic advisory):


How to apply a patch

1. Boot Windows XP in Safe mode [4]
2. Run python script(patch) [5]


# MSMQ Privilege Escalation Vulnerability Hotfix - CVE-2014-4971
# 12th August 2014 - Alino from Citadelo - [email protected]
# Disclaimer: Use this security patch at your own risk.
import os
import sys
import ctypes
import shutil
import hashlib
import platform
original = "7849c06480eeb96c0d06689e5db80ddcacc5dd077ce6dfa25ccb7bdf3378c962"
patched = "b014b913a1f913fad4d15cce9b27ff2b54f6f015c768b622c2baf049ca5f5b2e"
old_patch = "f481a1c6ea8508854ee8b4051d423679d58abb66586d904c7240b200fb109432"
driver = os.environ['WINDIR'] + "\\System32\\drivers\\mqac.sys"
driver_bck = os.environ['WINDIR'] + "\\System32\\drivers\\mqac.bck"
print "\n[*] MSMQ Privilege Escalation Vulnerability Hotfix - CVE-2014-4971"
print "[*] 12th August 2014 - Alino from Citadelo - [email protected]"
if platform.release() != "XP":
    sys.exit("\n[-] ERROR: This patch is for Windows XP!")
if ctypes.windll.user32.GetSystemMetrics(67) == 0:
    sys.exit("\n[-] ERROR: Must be run in Safe mode!")
if ctypes.windll.shell32.IsUserAnAdmin() != 1:
    sys.exit("\n[-] ERROR: You must have Administrator rights!")
if not os.path.exists(driver):
    sys.exit("\n[-] ERROR: Driver mqac.sys not found!")
hasher = hashlib.sha256()
with open(driver, "rb") as file:
    buffer =
if hasher.hexdigest() == patched:
    sys.exit("\n[-] ERROR: Already patched!")
if hasher.hexdigest() != original:
    if hasher.hexdigest() != old_patch:
        sys.exit("\n[-] ERROR: Wrong driver version! This patch is for version")
shutil.copyfile(driver, driver_bck)
print "\n[*] Backup file mqac.bck created"
buffer = buffer[:0x138] + "\x0A\xE1\x01" + buffer[0x13B:] # PE CHECKSUM
buffer = buffer[:0x1EFA] + "\xE9\xDD\x18\x01\x00" + buffer[0x1EFF:] # JMP mqac!_alldiv+0x6
buffer = buffer[:0x1F32] + "\xEB\xC6" + buffer[0x1F34:] # JMP mqac!AC2QM+0x20
buffer = buffer[:0x137DC] + "\xE8\x00\x00\x00\x00\x5B\x8B\x5B\x73\x8B\x1B\x3B\xF3\xBB\x00\x00\x00\x00\x0F\x83\xE2\xE7\xFE\xFF\xE9\x3B\xE7\xFE\xFF" + buffer[0x137F9:] # CALL mqac!_alldiv+0xb; POP EBX; MOV EBX,DWORD PTR [EBX+73h]; MOV EBX,DWORD PTR [EBX]; CMP ESI,EBX; MOV EBX,0; JNB mqac!AC2QM+0xfc; JMP mqac!AC2QM+0x5a
f = open(driver , "wb")
print "[*] Driver sucessfully patched!"

Metasploit module will fail with patched driver:



Use this security patch at your own risk.

Stay secure,
Alino, [email protected]


About the author

Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs