[OpenAFS-devel] Win2K bug in OpenAFS 1.2.0 token handling

[Leif Johansson]

On Wed, Sep 19, 2001 at 12:17:37PM -0500, Marc Dionne wrote:
> There's a bug in OpenAFS 1.2.0 (and probably earlier versions) on
> Windows 2000 which allows users to use/steal other users' tokens.  In
> some environments this could be a serious security problem.  I'd be
> curious to hear if others can reproduce this.
> 
> Here's the scenario:
> 
> - Login as user A, get an AFS token
> - Open up a command prompt window running as user B:
>       runas /user:B /prof cmd.exe
> - Verify that user B has no token at this point
> - From the B window:
>      net use p: \\<machine>-afs\all /user:A
> - "tokens" shows that B now has A's token and can access AFS using that
> token.  If either user klogs or unlogs at this point, they affect the
> same token.  I also noticed that if B uses drive mappings other than the
> one created above to access AFS, access is VERY slow, but is granted
> according to A's token.  If B uses the newly mapped drive, access is
> much faster.
> - Deleting the drive mapping (net use p: /d) makes things go back to
> normal, and B no longer has a token.
> 
> On a machine with the IBM AFS client v.3.6-2.18, the attempt to map to
> AFS as a different user fails with:
> "The credentials supplied conflict with an existing set of credentials."
> 
> ..which sounds like the appropriate response.
> 
> I'm looking into a potential patch.
> 

Are you using sp2. I saw similar things happening when running "un-sp:ed"
but using sp2 the effects seemed to dissapear.

	MVH leifj