This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

You may not be familiar with the Microsoft Message Queuing (MSMQ) service, a store and forward sort of inter-process and inter-system communication service. MSMQ has become something of a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange turns the service on by default. That’s why it’s a bit spooky that there’s a one packet Remote Code Execution (RCE) vulnerability that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. It requires sending a packet to the service on TCP port 1801. The Check Point Research team scanned for listening MSMQ endpoints on the public Internet, and found approximately 360,000 of them. And no doubt far more are listening on internal networks. A one packet exploit is a prime example of a wormable problem, and now that the story has broken, and the patch is available, expect a rapid reverse engineering. Beware, the queue jumpers are coming.

JavaScript VM Escape

The VM2 library is a rather important JavaScript package that sandboxes code, letting a project run untrusted code securely. Or, that’s the idea. CVE-2023-29017 is an example of how hard sandboxing is to get right. It’s another CVSS 9.8 vulnerability, and this one allows a sandbox escape and code execution.

This one now has public Proof of Concept code, and this package has over 16 million monthly installs, so the attack surface is potentially pretty wide. The flaw is fixed in version 3.9.15. Continue reading “This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking”

This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More

Code obfuscation has been around for a long time. The obfuscated C contest first ran way back in 1984, but there are examples of natural language obfuscation from way earlier in history. Namely Cockney rhyming slang, like saying “Lady from Bristol” instead of “pistol” or “lump of lead” instead of “head”. It’s speculated that Cockney was originally used to allow the criminal class to have conversations without tipping off police.

Code obfuscation in malware serves a similar purpose — hiding from security devices and applications. There are known code snippets and blacklisted IP addresses that anti-malware software scans for. If that known bad code can be successfully obfuscated, it can avoid detection. This is a bit of a constant game of cat-and-mouse, as the deobfuscation code itself eventually makes the blacklist. This leads to new obfuscation techniques, sometimes quite off the wall. Well this week, I found a humdinger of an oddball approach. Morse Code.

Yep, dots and dashes. The whole attack goes like this. You receive an email, claiming to be an invoice. It’s a .xlsx.hTML file. If you don’t notice the odd file extension, and actually let it open, you’re treated to a web page. The source of that page is a very minimal JS script that consists of a morse code decoder, and a payload encoded in Morse. In this case, the payload is simply a pair of external scripts that ask for an Office 365 login. The novel aspect of this is definitely the Morse Code. Yes, our own [Danie] covered this earlier this week, but it was too good not to mention here. Continue reading “This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More”