nt-part2_69
Analysis of the Security of Windows NT
1 March 1999
69
able maintenance software will then let the attacker to read, and modify, files on the
mounted disk at will. It would be simple to modify local password files to incorporate a
new supervisor account with a new password or otherwise modify user authorization
data as is done with NTLocksmith [58] and [59].
8.3.15 GetAdmin (see 7.7.4)
UNIX does not handle access to processes memory (for debugging purposes etc) in the
same way as NT. While there is no directly corresponding attack, there has been a flaw
associated with the corresponding mechanism used for this purpose in certain imple-
mentations of UNIX. Access to the kernels (and hence vital process information) is
mediated by the file /dev/kmem. In one release of SunOS this file was configured with
incorrect access permission, when the system was installed as per the manufacturers
instructions. Thus any user could access the kernels memory, instead of this being an
exclusive privilege of the administrator. This made it a trivial matter to change UID of
running processes etc [8].
8.3.16 NTRecover with write permission (see 7.7.2)
See section 8.3.14.
8.3.17 Password cracking via the network (L0phtcrack) (see 7.7.5, 7.7.5.2, 7.7.5.3)
Since the introduction of NIS this has been a possibility in UNIX installations. NIS
does very little in the way of preventing unauthorized hosts from gaining access to the
hashed passwords of a system. When these passwords have been obtained the attacker
is free to try and crack them off line. Since there was no need to be backward compati-
ble with any existing system when NIS was designed however, the flaws that appear in
conjunction with LAN Manager passwords has no direct counterpart in UNIX/NIS
[59], [3] and [8].