Abtrusion Security Click here to send someone a link to this page Click here to Bookmark this page
home   products   buy   download   support   about   news   links   contact

Abtrusion Security home

Security products

Purchase Abtrusion Protector

Download of security software for Windows

Abtrusion Protector support

About Abtrusion Security

Security related news

Security links


Download Abtrusion Protector


Information for

> Corporate Management

> System Administrators

> Security Professionals

> Software Developers

> Home Users

Download Abtrusion ProtectorWindows NT does not check execute permissions for 16-bit applications correctly

Windows NT/2000/XP do not check execute permissions correctly before allowing 16-bit executables to load. This makes it possible to load and execute 16-bit files without execute permission.

Any application or system setup that depends on access control lists to protect from remote or local code execution is potentially vulnerable.

When a 32-bit file is prepared for execution, it opened by the NT loader with EXECUTE permission requested. Normally, when a 16-bit file is loaded, it gets opened first by the loader. The loader will detect that the file is a 16-bit process and will pass it on to the NTVDM process. The NTVDM process will then load the 16-bit application for execution. However, if a 16-bit executable file is loaded by a 16-bit program it will be opened directly by NTVDM without ever being sent to the loader.

Since the loader checks execute permissions and a 16-bit application normally gets opened first by the loader, it may appear as if execute permission is checked for 16-bit files. For example, if a 16-bit application is double-clicked in the Windows Explorer, the application will not be allowed to start without execute permission set. However, it is possible to send a 16-bit file directly to NTVDM without going through the loader. For example, the command line

COMMAND /c 16BitApp.exe

will always run the application 16BitApp.exe regardless of execute permission.

To reproduce on Windows 2000:
1. Select a 16-bit application, say exe2bin.exe
2. Right-click the file in the Explorer and select Properties in the menu.
3. Click the Security tab and click Advanced.
4. Select 'Everyone' and click 'View/Edit'.
5. Check 'Deny' on the 'Traverse Folder/Execute File' permission.
6. Click OK a couple of times.
7. In a command shell, type 'exe2bin' and hit return. You will get 'Access is denied'
8. Type 'command /c exe2bin' and hit return. The exe2bin application will start.



Disable NTVDM.EXE. It is possible to do this by denying everyone EXECUTE permission for NTVDM.EXE. Please note that this will disable all 16-bit programs.


This is a bug in the operating system, so it potentially affects a lot of software. That said, most applications do not change default access control lists when they create files. However, default access control lists may be specified by a system administrator in many cases.


It is a good practice for applications to deny execute rights to any files they allow to be uploaded or created based on foreign content. The typical example would be an FTP server. It is unclear how often this is used in practice, though. Whenever it is used, this vulnerability might provide a way to deliver executable files to the target anyway.

The bug was reported to Microsoft on July 2, 2002.

Microsoft plans to fix this bug in future service packs.


Vendor Statement:

Microsoft wants to make the following statement: "Microsoft will fix this and Microsoft feels that a service pack is the most appropriate way to address this issue."


Copyright 2002 Abtrusion Security AB. All rights reserved. This document may be reproduced provided that it is reproduced in its entirety and that this copyright message is retained.


home | about | news | links | products | buy | support | download | contact