4.10.12. Messenger service

The messenger service runs two RPC services, available on two endpoints:

The MS03-043 Microsoft security bulletin removed support for the msgsvcsend interface and for the UDP endpoint, leaving only the msgsvc named pipe.

Because the Messenger service is running in a shared process, removing the UDP endpoint was an important security improvement because before, the ncadg_ip_udp transport could be used with this endpoint to reach anonymously other RPC services running in the same process.

Windows XP SP2 and Windows Server 2003 SP1 do not support the msgsvcsend interface and thus do not have the UDP endpoint. In addition, the Messenger service is disabled by default on Windows Server 2003 (all versions) and Windows XP SP2.

Y:\>ifids -p ncacn_np -e \pipe\msgsvc \\.
Interfaces: 42

[...]

  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

Y:\>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42

[...] 

  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

The UDP transport is frequently used with the msgsvcsend interface to massively send popup windows containing advertisement messages [77].

The two RPC services run by the messenger service have the following interfaces identifiers:

17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend

The msgsvc interface supports 4 operations that manipulate NetBIOS names on a local or remote system:

Table 4.55. msgsvc operations

InterfaceOperation numberOperation name
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc  
 0x00NetrMessageNameAdd
 0x01NetrMessageNameEnum
 0x02NetrMessageNameGetInfo
 0x03NetrMessageNameDel

The msgsvcsend interface supports one operation, to send a message to a registered NetBIOS name using MSRPC:

Table 4.56. msgsvcsend operation

InterfaceOperation numberOperation name
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend  
 0x00NetrSendMessage

The msgsvcsend interface is frequently used to send advertisement messages, using the NetrSendMessage operation.

The MS03-043 [78] Microsoft security bulletin includes a patch that completely removes support for the msgsvcsend interface of the Messenger service (both server-side function in msgsvc.dll and client-side function in wkssvc.dll are removed in patched versions of these two DLL).