User Logout Bug <long> (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Nov 25 16:56:52 GMT 1998
AAAAAAAAAAGH! and we thought it was a problem with samba AAAAAGH!
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
---------- Forwarded message ----------
Date: Wed, 25 Nov 1998 09:40:55 -0600
From: Craig Huckabee <huck at cs.wisc.edu>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: User Logout Bug <long>
Hi,
This may or may not be a serious bug - it affects us and it may be
affecting some of you and you just don't know it.
It seems there is a bug in either userenv.dll or lsasrv.dll where a
user's NT token is not closed when they logout. The tech I spoke
with at Microsoft never let me know which module was responsible
for closing the token, but I'm guessing it is one of those two,
with my money on userenv.dll.
The result , the one we noticed anyway, is that sometimes calls to
NetWkstaUserEnum, and possibly any other calls in that family,
will result in bogus information. That call is supposed to return
the name of the currently logged in user. What you get is a list
of every non-admin user who has logged in since the last reboot.
For example, User A logs in and logs out. User B logs in and runs
a tool that uses NetWkstaUserEnum to determine who is logged in.
The list returned will contain User A and User B. The only exception
we have seen is the local administrator account - his token gets
closed properly and he only shows up while he's actually logged in.
This may be primarily because he doesn't have a roaming profile
in our current setup - the upload of the profile seems to be the
point where the bug occurs but I'm not positive.
Microsoft has confirmed that this is a bug and that it will be fixed
"sometime". I wanted to post this in case anyone else has been
puzzled by odd behavior that could be related to old NT user tokens
laying around in the kernel.
Here's why I speculate that the tokens could still be valid and that
this could be a security problem :
In another project here at the UW, we were looking for a way to 'su'
from one account to another *after* the original user had logged out
(so we could start processes as a given user while no one is logged
on interactively to the machine - to use spare CPU cycles). The
way to do this, as described by Microsoft, was to store the handle
to the user token you have (either from a LogonUser() or DuplicateToken()
call) in some structure in memory. As long as you didn't close the
handle *or* reboot the machine (as the token itself was stored in
a kernel structure) you could use that token for impersonation.
So, I'm thinking that this bug is essentially userenv.dll not closing
the handle to the valid token stored in the kernel.
Can you actually get to those tokens ? I dunno. I would imagine that
if a simple non-privilaged call like the one we were using could see
the tokens that there might also be ways to establish a handle to
them.
As I mentioned before, this may only be affecting a small group of
people out there. We have a real custom environment here : a
custom GINA, AFS for file service, etc., and that's why we stumbled
across the problem. We had to install a bare bones, stock NT machine
and see if we could reproduce the problem there, which we could, and
then document how to reproduce it for the MS Tech so he could try it.
Below is the list of steps we used. The Netwksta util just calls
NetWkstaUserEnum and prints out the user(s) that are currently logged
in - I can post a copy of that as well if anybody else wants to try
reproducing it.
----------------------------------------------------------------------
You'll need 1 computer, not in a domain, runnning SP3 + hotfixes.
1) Create a user. Make sure that user is in only the "Users" group.
The profile path should be set to an invalid profile path, like
Z:\foo.
2) Login as this user. Ignore the error message. Logout.
3) Change the user profile path to be blank (the default) or to a
valid location.
4) Login as the user again. Run the netwksta utility.
You'll see that it says there are 2 users logged in.
------------------------------------------------------------------------
--Craig
Craig Huckabee E-Mail : huck at cs.wisc.edu
Computer Systems Lab, Computer Sciences Department
University of Wisconsin-Madison
http://www.cs.wisc.edu/~huck/
More information about the samba-technical
mailing list