---

---

Analysis of the Security of  Windows NT 1 March 1999 69 able maintenance software will then let the attacker to read, and modify, files on the mounted disk at will. It would be simple to modify local password files to incorporate a new supervisor account with a new password or otherwise modify user authorization data as is done with NTLocksmith [58] and [59]. 8.3.15  GetAdmin (see 7.7.4) UNIX does not handle access to processes memory (for debugging purposes etc) in the same way as NT. While there is no directly corresponding attack, there has been a flaw associated with the corresponding mechanism used for this purpose in certain imple- mentations of UNIX. Access to the kernels (and hence vital process information) is mediated by the file /dev/kmem. In one release of SunOS this file was configured with incorrect access permission, when the system was installed as per the manufacturers instructions. Thus any user could access the kernels memory, instead of this being an exclusive privilege of the administrator. This made it a trivial matter to change UID of running processes etc [8]. 8.3.16  NTRecover with write permission (see 7.7.2) See section 8.3.14. 8.3.17  Password cracking via the network (L0phtcrack) (see 7.7.5, 7.7.5.2, 7.7.5.3) Since the introduction of NIS this has been a possibility in UNIX installations. NIS does very little in the way of preventing unauthorized hosts from gaining access to the hashed passwords of a system. When these passwords have been obtained the attacker is free to try and crack them off line. Since there was no need to be backward compati- ble with any existing system when NIS was designed however, the flaws that appear in conjunction with LAN Manager passwords has no direct counterpart in UNIX/NIS [59], [3] and [8].