Re: sqwebmail web login
This is actually very similar to another problem that some on BugTraq may
be interested in. There is at least one major "Unix-based" OS (AIX) that
in it's default configuration will provide a unique reply for a correctly
guessed password when direct remote login is disabled for the userid in
question. For example, the message reply for an incorrectly guessed
password might be "Incorrect userid or password" whereas a correct guess
would yield a message such as "Remote logins for this account are not
allowed".
It's an issue that I have submitted to BugTraq in the past and had rejected
as being a known issue / not a bug / configuration issue. In my mind it is
simply incorrect and unnecessary to advertise the fact that you have found
the valid password for a given account, this type of information is only
useful to an attacker. Presumably if you legitimately have access to a
given account you will be aware that remote logins are not permitted for
that account. I realize that even if a password is guessed for an account
with remote logins disabled that you have to gain access to the host with
some other method or id for this information to be of any use, but it's
still a shortcoming with no good reason to exist and could allow privilege
escalation in some circumstances. Spare me replies that point out that
with a password of sufficient complexity and login delay mechanisms it
would take inordinately long to brute-force a password in this method, I
know. For those interested that would like related reading material, the
paper "Brute Force Attack on UNIX Passwords with SIMD Computer" by Kedem
and Ishihara from Usenix Security 8 is excellent, Google for it.
I suspect that this issue may exist with many Unix-based operating systems,
Dave Ahmad suggested that this same behaviour exists on Solaris.
Personally I can only confirm this result on AIX 4.3.3 - AIX 5.1. I went
so far as to open a problem ticket with IBM for AIX, if anyone else would
like further details contact me off-list.
SJ.