MSMQ-Privilege-Escalation-Vulnerability

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Executive Summary

This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic [1]. By default, the Message Queuing component is not installed and only Windows XP is affected. Since Microsoft stopped releasing security patches for Windows XP [2] and an exploit module is available in Metasploit [3], We have decided to release a Hotfix for this vulnerability to protect Windows XP users. The patch has been successfully tested on Windows XP SP3 and doesn't contain any malicious content.

UPDATE: The original version of the patch is not compatible with the /3GB boot parameter. The current version is compatible with the /3GB boot parameter. We would like to thanks to Mr. Patrik Horník from technology news site DSL.sk for reminding.

Microsoft doesn't plan to patch this vulnerability (from KoreLogic advisory):

msmq

How to apply a patch

1. Boot Windows XP in Safe mode [4]
2. Run python script(patch) [5]

Patch

#!/usr/bin/python
#
# MSMQ Privilege Escalation Vulnerability Hotfix - CVE-2014-4971
# 12th August 2014 - Alino from Citadelo - alino@citadelo.com
# 
# Disclaimer: Use this security patch at your own risk.
 
import os
import sys
import ctypes
import shutil
import hashlib
import platform
 
original = "7849c06480eeb96c0d06689e5db80ddcacc5dd077ce6dfa25ccb7bdf3378c962"
patched = "b014b913a1f913fad4d15cce9b27ff2b54f6f015c768b622c2baf049ca5f5b2e"
old_patch = "f481a1c6ea8508854ee8b4051d423679d58abb66586d904c7240b200fb109432"
 
driver = os.environ['WINDIR'] + "\\System32\\drivers\\mqac.sys"
driver_bck = os.environ['WINDIR'] + "\\System32\\drivers\\mqac.bck"
 
print "\n[*] MSMQ Privilege Escalation Vulnerability Hotfix - CVE-2014-4971"
print "[*] 12th August 2014 - Alino from Citadelo - alino@citadelo.com"
 
if platform.release() != "XP":
    sys.exit("\n[-] ERROR: This patch is for Windows XP!")
 
if ctypes.windll.user32.GetSystemMetrics(67) == 0:
    sys.exit("\n[-] ERROR: Must be run in Safe mode!")
 
if ctypes.windll.shell32.IsUserAnAdmin() != 1:
    sys.exit("\n[-] ERROR: You must have Administrator rights!")
 
if not os.path.exists(driver):
    sys.exit("\n[-] ERROR: Driver mqac.sys not found!")
 
hasher = hashlib.sha256()
with open(driver, "rb") as file:
    buffer = file.read()
    hasher.update(buffer)
 
if hasher.hexdigest() == patched:
    sys.exit("\n[-] ERROR: Already patched!")
 
if hasher.hexdigest() != original:
    if hasher.hexdigest() != old_patch:
        sys.exit("\n[-] ERROR: Wrong driver version! This patch is for version 5.1.0.1110")
 
shutil.copyfile(driver, driver_bck)
print "\n[*] Backup file mqac.bck created"
 
buffer = buffer[:0x138] + "\x0A\xE1\x01" + buffer[0x13B:] # PE CHECKSUM
buffer = buffer[:0x1EFA] + "\xE9\xDD\x18\x01\x00" + buffer[0x1EFF:] # JMP mqac!_alldiv+0x6
buffer = buffer[:0x1F32] + "\xEB\xC6" + buffer[0x1F34:] # JMP mqac!AC2QM+0x20
buffer = buffer[:0x137DC] + "\xE8\x00\x00\x00\x00\x5B\x8B\x5B\x73\x8B\x1B\x3B\xF3\xBB\x00\x00\x00\x00\x0F\x83\xE2\xE7\xFE\xFF\xE9\x3B\xE7\xFE\xFF" + buffer[0x137F9:] # CALL mqac!_alldiv+0xb; POP EBX; MOV EBX,DWORD PTR [EBX+73h]; MOV EBX,DWORD PTR [EBX]; CMP ESI,EBX; MOV EBX,0; JNB mqac!AC2QM+0xfc; JMP mqac!AC2QM+0x5a
 
f = open(driver , "wb")
f.write(buffer)
f.close()
 
print "[*] Driver sucessfully patched!"

Metasploit module will fail with patched driver:

msmq

Disclaimer

Use this security patch at your own risk.

Stay secure,
Alino, alino@citadelo.com

References:
1. https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt
2. http://windows.microsoft.com/en-us/windows/end-support-help
3. http://www.rapid7.com/db/modules/exploit/windows/local/mqac_write
4. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx

About the author

Citadelo
Citadelo
Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.
Show

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.
Show

MODX Revolution CMS 2.5.6

Blog | | Citadelo
Modx Revolution is great CMS, that is Open Source, UX friendly and easy to use. However, in a version 2.5.6 and lower we have identified multiple vulnerabilities.
Show

WebsiteBaker CMS 2.10.0 – Multiple SQL Injection Vulnerabilities

Blog | | Citadelo
The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WebsiteBaker database user
Show