SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Microsoft Virtual DOS Machine (VDM) Vendors:   Microsoft
Microsoft NT, 2000, and XP Operating Systems May Execute a 16-bit Application Even When The File Has No Execute Permissions
SecurityTracker Alert ID:  1005254
SecurityTracker URL:  http://securitytracker.com/id/1005254
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 19 2002
Impact:   Modification of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Microsoft's Windows NT, 2000, and XP operating systems. A local user may be able to execute a 16-bit application that specifically has execute permissions denied.

It is reported that Microsoft Windows NT, 2000, and XP operating systems do not properly check execution rights before allowing 16-bit executables to load.

When a 16-bit file is loaded, it is usually opened first by the NT loader, which checks the execute permissions and also detects that the file is a 16-bit process and passes it to the NT Virtual DOS Machine (NTVDM) process. The NTVDM process will then load the 16-bit application for execution. However, a 16-bit executable file can apparently be loaded directly by NTVDM without ever being sent to the loader when loaded by another 16-bit program.

For example, the following command line will reportedly run the '16BitApp.exe' application regardless of its execute permissions:

COMMAND /c 16BitApp.exe

For more details, see:

http://www.abtrusion.com/msexe16.asp

Impact:   A local user may be able to execute 16-bit applications that do not have execute permissions.
Solution:   No solution was available at the time of this entry. According to the report, Microsoft plans to fix this bug in a future service pack release.

As a workaround, the author of the report has indicated that you can disable NTVDM.EXE by denying everyone EXECUTE permission for NTVDM.EXE. However, this will disable all 16-bit programs.

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Execution Rights Not Checked Correctly For 16-bit Applications


A 16-bit executable file can be loaded for execution even though the file is
flagged with execute permission denied.

Platforms: Windows NT, 2000, XP



Overview:

Windows NT/2000/XP do not check execution rights correctly before allowing
16-bit executables to load. This makes it possible to load and execute
16-bit files without execute permission. For example, the command line

COMMAND /c 16BitApp.exe

will always run the application 16BitApp.exe regardless of execute
permission.

Any application or system setup that depends on access control lists to
protect from remote or local code execution is potentially vulnerable.





Background:

For a background discussion and more detailed instructions of how to
reproduce, see http://www.abtrusion.com/msexe16.asp





Workaround:

Disable NTVDM.EXE. It is possible to do this by denying everyone EXECUTE
permission for NTVDM.EXE. Please note that this will disable all 16-bit
programs.





Status:

The bug was reported to Microsoft on July 2, 2002.

Microsoft plans to fix this bug in future service packs.





Vendor Statement:

Microsoft wants to make the following statement: "Microsoft will fix this
and Microsoft feels that a service pack is the most appropriate way to
address this issue."



______________________________________
Abtrusion Security AB
http://www.abtrusion.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC