nt-part2_49
Analysis of the Security of Windows NT
1 March 1999
49
installed. In these respects, NT is not different from other operating systems. In this
section, we focus on weaknesses introduced in the installation procedure.
It is rather simple to install NT on a computer from the box. However, such installation
is not secure. The system administrator has to perform a number of tasks. First, install
the latest Service Pack announced by Microsoft. Second, fetch and install hotfixes for
problems found after a Service Pack has been shipped. Third, since the standard con-
figuration of the system is rather relaxed, probably due to the fact there is less com-
plaining if things work right away, the system administrator really needs to go through
the registry carefully after an installation and change the configuration to suite her/his
needs. Microsoft could definitely have made the standard installation more rigorous,
especially the Everyone group could be more restricted.
7.3.2 Collisions in MD4
MD4 is a oneway hash function developed by RSA Inc.. It is mainly used to create
hashed checksums in mail systems for digital signatures where a variable sized text is
hashed into a 16 byte value. In the context of digital signatures constructed by check-
sum it is important that different texts do not produce the same checksum, i.e. all the
checksums are unique or it is at least impossible to alter a given text and still produce a
checksum that is identical to the one for the original text. This was thought true for
MD4 until Hans Dobbertin discovered collisions, i.e. two texts producing the same
checksum, in the algorithm [21]. He also showed how this could be done fairly easily
with any text as long as it had a certain structure [25]. This lead to the conclusion that
MD4 is to be considered unsafe and a recommendation to stop using it.
In NT, MD4 is used as the main encryption algorithm for passwords. The reason being
that it is considered impossible to decrypt a oneway hash function. The encrypted pass-
word is compared with the stored encrypted password to identify the user at logon, see
section 5.3. However, since only the encrypted passwords are compared and since col-
lisions have been detected in MD4 it is possible, but probably unlikely, that two differ-
ent passwords can give access to the same user account. This in turn decreases the
number of passwords that need to be tested in a brute force password attack, with how
much is hard to tell, and therefore weakens the encryption.
7.3.3 Parameter Checks in System Calls
One of the oldest programming errors in the book is insufficient error control. This
includes checks to make sure that the value of variables and parameters are within the
allowed range. In NT 4.0, as well as 3.51, there exist system calls with insufficient
validity checks for parameters. These system calls make the system crash if they are
called with parameter values outside the allowed range. One program which we found
(NTCrash) is primarily designed to detect and log system calls with these kinds of
flaws. However, the program can also be used to exploit these weaknesses, see section
7.5.1. Hopefully, Microsoft will correct these programming errors in the near future.
7.3.4 Undocumented System Variables and Functions
An operating system exports a number of system functions, often called system calls,
and variables to be used by application programs.