Full Report
We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below. Built a tool, punch-q, so you don’t have to go through the same, and included some info for blue teams, including an osquery extension. Depending on how old a version you are working with, or which document you read online, you might know IBM’s Message Queue solution as MQSeries, Webshere MQ or IBM MQ. The latter being the latest name it got around 2014 with the release of version 8. Nonetheless, in the last few months I have come across a number of distinct instances of MQ, each used in their own interesting ways for arbitrary systems integrations. Be it for simple messages being passed around or to facilitate file transfers, MQ played a significant role when it came to the overall business processes these companies had. In order to help me understand the technology better, I discovered some prior research by the folks at MWR, with a very informative talk done at Defcon 15 called MQ Jumping. A subsequent white paper was released and is definitely worth a read.
Analysis Summary
# Tool/Technique: punch-q
## Overview
`punch-q` is a custom tool developed to facilitate the exploitation and abuse of IBM MQ (Message Queue) services. The tool was created based on experiences during security assessments where the author needed to interact with and exploit MQ services for arbitrary systems integrations, often involving injecting messages or transferring files. The tool also includes defensive components, such as an osquery extension for blue teams.
## Technical Details
- Type: Tool
- Platform: Systems running IBM MQ (mentioned context includes Linux and AIX environments being tested against)
- Capabilities: Connect to MQ Queue Managers, send and receive messages to queues, sniff channel activity, and an osquery extension for client monitoring.
- First Seen: Published/Released June 08, 2018 (based on article date).
## MITRE ATT&CK Mapping
The activities described around exploiting MQ services generally align with the Persistence, Privilege Escalation, and Impact tactics by abusing legitimate communication channels to cause unauthorized business process execution or data manipulation.
- **TA0003 - Persistence**
- T1546.009 - Event Triggered Execution: If message injection leads to standing processes or persistent execution.
- **TA0004 - Privilege Escalation**
- T1134.004 - Accessing ACLs: Bypassing access controls via misconfigured channels or exploiting authentication mechanisms.
- **TA0006 - Credential Access** (Indirectly, by reading sensitive messages)
- T1003 - OS Credential Dumping (If sensitive credentials are in messages).
- **TA0011 - Command and Control** (If MQ is used for covert communication)
- T1090 - Proxy (If MQ acts as a means of relaying commands).
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact (If file transfers/manipulation leads to ransomware/disruption, although not explicitly detailed).
- T1490 - Inhibit System Recovery (If transactions are incorrectly committed or processes are stopped).
## Functionality
### Core Capabilities
- **Connection Establishment:** Ability to connect to MQ Queue Managers using required parameters (IP/Hostname & Port, Queue Manager Name, Channel name).
- **Message Interaction:** Putting (sending) and Getting (receiving) messages to/from specific queues. This ability allows attackers to:
- Initiate or bypass specific transaction checks within business processes.
- Commit unauthorized transactions.
- Facilitate file transfers.
- **Sniffing:** Includes a "sniff" command capability to monitor activity on MQ channels.
### Advanced Features
- **Osquery Integration:** Includes a custom Golang table extension for osquery (`mq_clients`) that allows querying for currently connected MQ clients, aiding in defensive monitoring of the service's activity.
- **Exploiting Configuration Weaknesses:** Leveraging common default configurations, especially on older MQ versions (< 7.1) or systems where Channel Authentication Records (CHLAUTH) were disabled or misconfigured during upgrades, to gain unauthenticated access to Server-connection channels like `SYSTEM.ADMIN.SVRCONN`.
## Indicators of Compromise
*Note: Since `punch-q` is an active tool and the article does not detail successful exploitation attempts with specific outputs, IOCs are based on the defensive component and common interacting points.*
- File Hashes: [Not provided in the text]
- File Names: `punch-q` (tool executable), `osquery-mqtable` (extension source/compiled binary)
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: MQ client connections established over TCP/IP to Queue Manager ports (often 1414 or custom ports).
- Behavioral Indicators:
- Unauthorized connections to MQ channels, especially Server-connection channels, lacking proper authentication.
- Unexpected message activity (PUT/GET operations) on critical business queues.
- Execution of `display conn(*)` or similar administrative commands if shells are compromised.
## Associated Threat Actors
The tool was developed by SensePost researchers and usage by known threat groups is **not mentioned** in the provided context. It is presented as a penetration testing and security assessment utility.
## Detection Methods
- **Signature-based detection:** Detection on the custom tool executable (`punch-q`) if signatures are generated.
- **Behavioral detection:** Monitoring network traffic for connections to MQ ports from unexpected internal or external hosts. Identifying PUT/GET operations that deviate from established baseline business processes.
- **Osquery Monitoring:** Utilizing the provided `mq_clients` osquery extension to log and monitor connections to the Queue Manager endpoints in real-time or differentially.
## Mitigation Strategies
- **Disable/Restrict Unauthenticated Channels:** Ensure that default Server-connection channels (like `SYSTEM.ADMIN.SVRCONN`) are disabled or secured.
- **Implement CHLAUTH:** Configure and rigorously manage Channel Authentication Records (CHLAUTH) rules introduced in MQ version 7.1+ to enforce authentication and authorization for all administrative and application channels.
- **Principle of Least Privilege:** Ensure that user accounts used for connecting to MQ channels only have the minimum necessary access rights (only read/write to specific necessary queues).
- **Configuration Management:** Verify that upgrades do not revert modern security configurations (like disabling CHLAUTH) by scripting configuration validation (e.g., checking `dmpmqcfg` output).
## Related Tools/Techniques
- **MQ Jumping:** Prior research/framework discussed in the accompanying Defcon 15 presentation and white paper detailing MQ security issues.
- **IBM MQ Explorer:** Official administrative tool which attackers might mimic behavior from or use if administrative access is gained.