HostedDB - Dedicated UNIX Servers
nt-part2_50 Analysis of the Security of  Windows NT 1 March 1999 50 We have found a program package (NTExport) for NT that can be used to generate a kernel mode device driver library, which includes undocumented kernel functions and variables. We are not aware of any program that uses this package for intrusion pur- poses. However, there is a program called CacheMan, which relies on this package, that can be used to tune the file system cache. For more information about NTExport, see appendix D.2.3. We can see two different reasons why Microsoft kept all this undocumented. One rea- son may be that they might gain competition benefits vis-a-vis other vendors, when application programs are developed. The other possible reason is that they may not be aware of what is exported and what is not. From a security point of view, we believe that the latter would be most serious. 7.3.5  Plain-text Passwords over the Network NT supports eight different variants of authentication for backward compatibility rea- sons.    The    party    that    suggests    which    variant    to    use    is    the    client    in    the SMB_C_NEGOTIATE message. The elder of these variants sends plain-text pass- words over the network and some of the newer ones have weak encryption schemes. The server can always try and suggest a higher variant but it is the client that, unless there  is  a  share-level  versus  user-level  incompatibility,  sets  the  level  of  security. According to among others [29] the server as default will always accept plaintext pass- words as valid authentication. This could be used in man-in-the-middle attacks to snatch passwords directly from the network. 7.3.6  Non NTFS File Systems Each file system has a device object that is created when the file system is loaded. A thread is able to access a file system, if it has traverse access rights to the device object representing the particular file system. The ACL on each device object is by default set to traverse access for  everyone, and read/write for administrators. Subsequently, file objects for an individual file may be created. File objects for, say, FAT files are based on the ACL on the file system device object. This is not the case for file objects for NTFS files and directories, because these do have a security descriptor [43]. 7.3.7  System Initialization Another problem is the fact that a PC easily can be booted by other operating systems than NT, which may lead to intrusions. For example, a PC that is bootable from a floppy drive can be booted by MS-DOS, and after that, the attacker can use some util- ity program, e.g. NTFSDOS, see appendix D.3.1, or NTRecover, appendix D.3.4, to access NTFS, including the SAM database. 7.4  Suggested Attacks There are a number of attacks that have been suggested by different persons but, to our knowledge, has not been proven by concept code or the equivalent there of. There are also some attacks which we, for some reasons, have not been able to perform and eval-