Information

The out-of-bound read bug exists in the kernel module “mqac.sys” for the MSMQ service.

The vulnerability can be reproduced on all available Windows versions (clients and servers). However, the analysis was done on Windows 10 32bit with version 5.0.1.1 of “C:\Windows\System32\drivers\mqac.sys”

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

<<<<<<<<<<<<<<unnecessary information removed>>>>>>>>>>>>>>

TRAP_FRAME:  a80222e0 -- (.trap 0xffffffffa80222e0)
ErrCode = 00000000
eax=d95abc68 ebx=1d9f0024 ecx=749af8b5 edx=d95abc68 esi=0000ff00 edi=1d9f0004
eip=a7ad2bb8 esp=a8022354 ebp=a8022384 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
mqac!CPacketBuffer::OnDiskExtensionHeader+0x20:
a7ad2bb8 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:d95abc6c=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 854180cd to 8537d0b4

STACK_TEXT:  
a8021c74 854180cd 00000003 8fb5a037 00000065 nt!RtlpBreakWithStatusInstruction
a8021cc8 85417a99 8bb7c980 a80220b4 a8022178 nt!KiBugCheckDebugBreak+0x1f
a8022088 8537bae6 00000050 d95abc6c 00000000 nt!KeBugCheck2+0x79d
a80220ac 8537ba1d 00000050 d95abc6c 00000000 nt!KiBugCheck2+0xc6
a80220cc 852ed69a 00000050 d95abc6c 00000000 nt!KeBugCheckEx+0x19
a8022178 85273726 00000000 85273726 d95abc6c nt!MiSystemFault+0x86a
a8022248 853988f7 00000000 d95abc6c 00000000 nt!MmAccessFault+0x376
a8022248 a7ad2bb8 00000000 d95abc6c 00000000 nt!KiTrap0E+0x2c7
a8022354 a7ad2bda a7ae28e2 1d9f0000 a99b7180 mqac!CPacketBuffer::OnDiskExtensionHeader+0x20
a8022358 a7ae28e2 1d9f0000 a99b7180 a7aef000 mqac!CPacketBuffer::SubQueueHeader+0x10
a8022384 a7ad34c7 00000000 1d9f0000 00000000 mqac!CPacket::Done+0xba
a80223cc a7ad81f5 00000000 dc98dcf5 a6656558 mqac!ACFreePacket+0xd9
a8022440 8524ab98 96058cf8 919cb040 919cb040 mqac!ACDeviceControl+0x5d1
a802245c 85564864 919cb0b0 919cb040 00000000 nt!IofCallDriver+0x48
a80224a8 8556136b a6656558 00000000 00008b01 nt!IopSynchronousServiceTail+0x134
a8022578 855608aa 00000000 00000000 919cb0b0 nt!IopXxxControlFile+0xabb
a80225a4 853927bb 0000045c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a80225a4 77c92740 0000045c 00000000 00000000 nt!KiSystemServicePostCall
05c6f934 77c90e3a 6d06e1ad 0000045c 00000000 ntdll!KiFastSystemCallRet
05c6f938 6d06e1ad 0000045c 00000000 00000000 ntdll!NtDeviceIoControlFile+0xa
05c6f98c 6d04225e 00000001 93f06dbb 6d07a400 MQQM!QmAcFreePacket+0x35
05c6f9c4 6d04209c 0df1afc8 6d042040 6d042040 MQQM!CSockTransport::ReadCompleted+0x1bb
05c6f9dc 6d07a4c0 0df1afc8 93f06e63 6d07a400 MQQM!CSockTransport::ReceiveDataSucceeded+0x5c
05c6fa1c 7639cfc9 00000000 7639cfb0 05c6fa88 MQQM!ExpWorkingThread+0xc0
05c6fa2c 77c226b5 00000000 f5fc9aa0 00000000 KERNEL32!BaseThreadInitThunk+0x19
05c6fa88 77c22689 ffffffff 77ca5c98 00000000 ntdll!__RtlUserThreadStart+0x2b
05c6fa98 00000000 6d07a400 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b

<<<<<<<<<<<<<<unnecessary information removed>>>>>>>>>>>>>>

2: kd> .trap 0xffffffffa80222e0
ErrCode = 00000000
eax=d95abc68 ebx=1d9f0024 ecx=749af8b5 edx=d95abc68 esi=0000ff00 edi=1d9f0004
eip=a7ad2bb8 esp=a8022354 ebp=a8022384 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
mqac!CPacketBuffer::OnDiskExtensionHeader+0x20:
a7ad2bb8 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:d95abc6c=????????
2: kd> ub a7ad2bb8
mqac!CPacketBuffer::OnDiskExtensionHeader+0x7:
a7ad2b9f f7c600100000    test    esi,1000h
a7ad2ba5 7504            jne     mqac!CPacketBuffer::OnDiskExtensionHeader+0x13 (a7ad2bab)
a7ad2ba7 33c0            xor     eax,eax
a7ad2ba9 5e              pop     esi
a7ad2baa c3              ret
a7ad2bab e8befeffff      call    mqac!CPacketBuffer::GetSectionAfterSrmp (a7ad2a6e)
a7ad2bb0 f7c600080000    test    esi,800h
a7ad2bb6 740f            je      mqac!CPacketBuffer::OnDiskExtensionHeader+0x2f (a7ad2bc7)
2: kd> u a7ad2bb8
mqac!CPacketBuffer::OnDiskExtensionHeader+0x20:
a7ad2bb8 8b4804          mov     ecx,dword ptr [eax+4]
a7ad2bbb 0308            add     ecx,dword ptr [eax]
a7ad2bbd 03c8            add     ecx,eax
a7ad2bbf 3bc8            cmp     ecx,eax
a7ad2bc1 1bc0            sbb     eax,eax
a7ad2bc3 f7d0            not     eax
a7ad2bc5 23c1            and     eax,ecx
a7ad2bc7 5e              pop     esi


References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28302