Windows NT does not check execute permissions for 16-bit applications
Windows NT/2000/XP do not check
execute permissions correctly before
allowing 16-bit executables to load. This makes it possible to load and
execute 16-bit files without execute permission.
Any application or system setup that depends on access control lists to
protect from remote or local code execution is potentially vulnerable.
When a 32-bit file is prepared for execution, it opened by the NT loader
with EXECUTE permission requested. Normally, when a 16-bit file is loaded,
it gets opened first by the loader. The loader will detect that the file is a
16-bit process and will pass it on to the NTVDM process. The NTVDM process
will then load the 16-bit application for execution. However, if a 16-bit
executable file is loaded by a 16-bit program it will be opened directly by
NTVDM without ever being sent to the loader.
Since the loader checks execute permissions and a 16-bit application
normally gets opened first by the loader, it may appear as if
execute permission is checked for 16-bit files. For example, if a 16-bit
application is double-clicked in the Windows Explorer, the application will
not be allowed to start without execute permission set. However, it is possible to
send a 16-bit file directly to NTVDM without going through the loader. For
example, the command line
COMMAND /c 16BitApp.exe
will always run the application 16BitApp.exe regardless of execute
To reproduce on Windows 2000:
1. Select a 16-bit application, say exe2bin.exe
2. Right-click the file in the Explorer and select Properties in the menu.
3. Click the Security tab and click Advanced.
4. Select 'Everyone' and click 'View/Edit'.
5. Check 'Deny' on the 'Traverse Folder/Execute File' permission.
6. Click OK a couple of times.
7. In a command shell, type 'exe2bin' and hit return. You will get 'Access
8. Type 'command /c exe2bin' and hit return. The exe2bin application will
NTVDM.EXE. It is possible to do this by denying everyone EXECUTE permission
for NTVDM.EXE. Please note that this will disable all 16-bit programs.
This is a bug in the operating system, so it potentially affects a lot of
software. That said, most applications do not change default access control lists when they
create files. However, default access control lists may be specified by a
system administrator in many cases.
It is a good practice for applications to deny execute rights to any
files they allow to be uploaded or created based on foreign content. The
typical example would be an FTP server. It is unclear how often this is used
in practice, though. Whenever it is used, this vulnerability might provide a
way to deliver executable files to the target anyway.
The bug was reported to Microsoft on July 2, 2002.
Microsoft plans to fix this bug in future service packs.
wants to make the following statement: "Microsoft will fix this and
Microsoft feels that a service pack is the most appropriate way to address
Copyright © 2002 Abtrusion Security AB.
All rights reserved. This document may be reproduced provided that it is
reproduced in its entirety and that this copyright message is retained.
| about | news |
links | products |
buy | support |