Vulnerability in Message Queuing Allows Code Execution (MS05-017)
13 Apr. 2005
Summary
"Microsoft Message Queuing technology enables applications that are running at different times to communicate across heterogeneous networks and across systems that may be temporarily offline. Applications send messages to queues and read messages from queues. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios."
A remote code execution vulnerability exists in the Message Queuing component. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually installed the Message Queuing component could be vulnerable to this issue.
* Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium). (Download the update)
* Microsoft Windows 98 and Microsoft Windows 98 Second Edition (SE).
Immune Systems:
* Microsoft Windows XP Service Pack 2.
* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium).
* Microsoft Windows Server 2003 and Windows Server 2003 Service Pack 1.
* Microsoft Windows Server 2003 for Itanium-based Systems.
* Microsoft Windows Millennium Edition (ME).
Mitigating Factors for Message Queuing Vulnerability:
* By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue.
* Message Queuing installations that expose only MSMQ HTTP Message Delivery to the Internet are not vulnerable.
* For customers that require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds for Message Queuing Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Block the following at the firewall.
* UDP ports 135, 137, 138, 445, 1801, and 3527, and TCP ports 135, 139, 445, 593, 1801, 2101, 2103, 2105, and 2107.
* All unsolicited inbound traffic on ports greater than 1024.
* Any other specifically configured RPC port.
These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site.
Remove Message Queuing if you do not need it.
If you no longer need Message Queuing, remove it. To do this, follow these steps. These steps apply only to Windows XP Service Pack 1. For Windows 2000, follow the procedure that is included in the product documentation.
Note Special permissions may be required to remove Message Queuing. For more information, see the following Message Queuing documentation.
1. Click, Start, and then click Control Panel.
2. Double-click, Add or Remove Programs.
3. In the default Category View, click Add or Remove Programs.
4. Click Add/Remove Windows Components.
5. On the Windows Components Wizard page, under Components, click to clear the Message Queuing check box to remove Message Queuing, and then click Next.
6. Complete the Windows Components Wizard by following the instructions on the screen.
Impact of Workaround: Many organizations require Message Queuing to perform important functions. Administrators should not remove Message Queuing unless they fully understand the effect that doing this will have on their environment. For more information about Message Queuing, see the Message Queuing product documentation.
FAQ for Message Queuing Vulnerability: Q. What is the scope of the vulnerability?
A. This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Q. What causes the vulnerability?
A. An unchecked buffer in the Message Queuing component.
Q. What is Message Queuing?
A. Microsoft Message Queuing technology enables applications that are running at different times to communicate across heterogeneous networks and across systems that may be temporarily offline. Applications send messages to queues and read messages from queues. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios. For more information about Message Queuing, see the Message Queuing product documentation.
Q. What Microsoft applications use Message Queuing?
A. Message Queuing must be installed before you can install BizTalk Server 2000 or BizTalk Server 2002. Message Queuing is an optional component that can be used by BizTalk Server 2004. Other Microsoft applications and third-party applications may also use Message Queuing.
Q. What might an attacker use the vulnerability to do?
A. An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Q. Who could exploit the vulnerability?
A. Any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.
Q. How could an attacker exploit the vulnerability?
A. An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.
Q. What systems are primarily at risk from the vulnerability?
A. All systems that have Message Queuing installed are at risk from this vulnerability. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue.
Q. Could the vulnerability be exploited over the Internet?
A. Yes. An attacker could try to exploit this vulnerability over the Internet by using RPC ports. Most Message Queuing deployments that are available through the Internet use the MSMQ HTTP Message Delivery component which is not vulnerable to this issue. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet that use RPC.
Q. What does the update do?
A. The update removes the vulnerability by modifying the way that Message Queuing validates the length of a message before it passes the message to the allocated buffer.
Q. When this security bulletin was issued, had this vulnerability been publicly disclosed?
A. No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
Q. When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
A. No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
