Didier Stevens

Tuesday July 11th, second Tuesday of the month. IT professionals working for a Microsoft shop know the drill: patch Tuesday.

MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution. One vulnerability fixed by this patch is the “Mailslot Heap Overflow Vulnerability – CVE-2006-1314”. According to the Microsoft Security Bulletin, a mitigating factor for this vulnerability is “Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1 do not have services listening on Mailslots in default configurations“. Good, but what about non-default configurations? When do you have mailslots on your machine?

Maislots are an Inter-Process Communication (IPC) protocol. It can be used by processes (running programs) to communicate with each other.

It’s easy to create programs using mailslots.
Your server program listens to a mailslot by creating a file starting with \\.\mailslot followed by the name of the mailslot (e.g. \\.\mailslot\listener) and starts reading from that file.
Your client program talks to a mailslot by creating a file starting with \\server\mailslot followed by the name of the mailslot (e.g. \\MyServer\mailslot\listener) and writing a message to it. The Server Service will transport your message from your client program to your server program.

More details can be found on MSDN and sample code is available on The Code Project.

Hence any program designed to use mailslots can open a mailslot on your Windows PC, making your Windows XP SP2 machine vulnerable. You can list the mailslots opened on a machine by enumerating the files in the \\.\mailslot directory.

I wrote a simple C# 2.0 console application to do this:

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;

namespace ListMailSlots
{
    class ListMailSlots
    {
        static void Main(string[] args)
        {
            foreach (string file in Directory.GetFiles

(@".mailslot", "*.*", SearchOption.AllDirectories))
            {
                Console.WriteLine(file);
            }
        }
    }
}

Mail me or post a comment if you want the compiled program.

Running this program on a fresh Windows XP SP2 install shows nothing: as stated by Microsoft, a default install has no mailslots.

But on a Windows Server 2000 SP4, the result is different:

messngr
Alerter
53cb31a0UnimodemNotifyTSP

The mailslot \\.\mailslot\messngr is used by the Messenger service (the service that displays a popup when you issue a NET SEND command).
Alerter is used by the Alerter service to display administrative alerts.

These services are disabled on Windows XP SP2 and Windows 2003 SP1. In fact, when you enable and start these services on a default install, the mailslots will be created and my program will list them.

53cb31a0\UnimodemNotifyTSP is used by the Telephony service.

There is another way to list mailslots using Process Explorer by Sysinternals: start PE and search (File Handle or DLL…) for \Device\Mailslot:

This will also show you the process that opened the mailslot. svchost.exe is a generic process to host Windows services, you’ll have to open the properties of the process and select the Services tab to view which Services are hosted by the process.

I’ve also discovered (with my program) that McAfee uses a mailslot.

This gives you a method to check if a Windows machine has mailslots and hence if it’s vulnerable.

Few details have been published about this vulnerability, the best I found is by TippingPoint. I wonder when H D Moore will publish an exploit module for his Metasploit framework.
Cybertrust has issued an alert for this vulnerability, warning for a possible new worm like Slammer. Wait and see…