Related to: sqwebmail web login reported on BugTraq

[scott.jefferd () cantire com]

The vulnerability in sqwebmail mentioned in the subject is similar to a
generic configuration weakness I have come across.  There is at least one
major "Unix-based" OS (AIX) that in it's default configuration will provide
a unique reply for a correctly guessed password when direct remote login is
disabled for the userid in question.   For example, the message reply for
an incorrectly guessed password might be "Incorrect userid or password"
whereas a correct guess would yield a message such as "Remote logins for
this account are not allowed".  I have been a sysadmin for about 4 years
now and was unaware that this configuration issue existed, so I mention it
here in the hopes that others will become aware of it because it seems to
be a fairly widespread occurrence.

It's an issue that I have submitted to the standard BugTraq list in the
past and had rejected as being a known issue / not a bug / configuration
issue and unworthy of BugTraq, so perhaps it belongs here.  In my mind it
is simply incorrect and unnecessary to advertise the fact that you have
found the valid password for a given account, this type of information is
only useful to an attacker.  Presumably if you legitimately have access to
a given account you will be aware that remote logins are not permitted for
that account.  I realize that even if a password is guessed for an account
with remote logins disabled that you have to gain access to that host via
some other method or id for this information to be of any use, but it's
still a shortcoming with no good reason to exist and could allow privilege
escalation in some circumstances.  Spare me replies that point out that
with a password of sufficient complexity and login delay mechanisms it
would take inordinately long to brute-force a password in this method, I
know.  For those interested that would like related reading material, the
paper "Brute Force Attack on UNIX Passwords with SIMD Computer"  by Kedem
and Ishihara from Usenix Security 8 is excellent, Google for it.

I suspect that this issue may exist with many Unix-based operating systems,
Dave Ahmad suggested that this same behaviour exists on Solaris.
Personally I can only confirm this result on AIX 4.3.3 - AIX 5.1.   I went
so far as to open a problem ticket with IBM for AIX, if anyone else would
like further details contact me off-list.

SJ.



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------