A 16-bit executable file can be loaded for execution even though the file is
flagged with execute permission denied.

Platforms: Windows NT, 2000, XP



Overview:

Windows NT/2000/XP do not check execution rights correctly before allowing
16-bit executables to load. This makes it possible to load and execute
16-bit files without execute permission. For example, the command line

COMMAND /c 16BitApp.exe

will always run the application 16BitApp.exe regardless of execute
permission.

Any application or system setup that depends on access control lists to
protect from remote or local code execution is potentially vulnerable.





Background:

For a background discussion and more detailed instructions of how to
reproduce, see http://www.abtrusion.com/msexe16.asp





Workaround:

Disable NTVDM.EXE. It is possible to do this by denying everyone EXECUTE
permission for NTVDM.EXE. Please note that this will disable all 16-bit
programs.





Status:

The bug was reported to Microsoft on July 2, 2002.

Microsoft plans to fix this bug in future service packs.





Vendor Statement:

Microsoft wants to make the following statement: "Microsoft will fix this
and Microsoft feels that a service pack is the most appropriate way to
address this issue."



______________________________________
Abtrusion Security AB
http://www.abtrusion.com