The out-of-bound write bug occurs in the “MQQM!CQmPacket::CQmPacket()” function. Later in the same function it is possible to overwrite arbitrary memory data, potentially allowing an attacker to achieve remote code execution in the context of the process “mqsvc.exe”.

The vulnerability can be reproduced on all available Windows versions (clients and servers). However, the analysis was done on Windows 10 32bit with version of “C:\Windows\System32\mqqm.dll”.

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=089a6ff0 ecx=00000000 edx=09650024 esi=c520be5c edi=0648fc24
eip=7a75d86a esp=0648fbd8 ebp=0648fbf4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
7a75d86a 83660400        and     dword ptr [esi+4],0  ds:0023:c520be60=????????
0:008> ub eip
7a75d84c 2414            and     al,14h
7a75d84e e87af2ffff      call    MQQM!SafeAddPointers (7a75cacd)
7a75d853 8bf0            mov     esi,eax
7a75d855 8b5d18          mov     ebx,dword ptr [ebp+18h]
7a75d858 85db            test    ebx,ebx
7a75d85a 0f84ac000000    je      MQQM!CQmPacket::CQmPacket+0x6ab (7a75d90c)
7a75d860 837d1c00        cmp     dword ptr [ebp+1Ch],0
7a75d864 0f85a2000000    jne     MQQM!CQmPacket::CQmPacket+0x6ab (7a75d90c)
0:008> u eip
7a75d86a 83660400        and     dword ptr [esi+4],0
7a75d86e 8d542410        lea     edx,[esp+10h]
7a75d872 83660800        and     dword ptr [esi+8],0
7a75d876 c7060c000000    mov     dword ptr [esi],0Ch
7a75d87c 6a02            push    2
7a75d87e 897760          mov     dword ptr [edi+60h],esi
7a75d881 8b06            mov     eax,dword ptr [esi]
7a75d883 59              pop     ecx
0:008> k
 # ChildEBP RetAddr      
00 0648fbf4 7a774298     MQQM!CQmPacket::CQmPacket+0x609
01 0648fd3c 7a771c0b     MQQM!CSockTransport::HandleReceiveUserMsg+0x45
02 0648fd94 7a772160     MQQM!CSockTransport::ReadUserMsgCompleted+0x8b
03 0648fdcc 7a77209c     MQQM!CSockTransport::ReadCompleted+0xbd
04 0648fde4 7a7aa4c0     MQQM!CSockTransport::ReceiveDataSucceeded+0x5c
05 0648fe24 768bcfc9     MQQM!ExpWorkingThread+0xc0
06 0648fe34 77ba26b5     KERNEL32!BaseThreadInitThunk+0x19
07 0648fe90 77ba2689     ntdll!__RtlUserThreadStart+0x2b
08 0648fea0 00000000     ntdll!_RtlUserThreadStart+0x1b