Re: sqwebmail web login

scott.jefferd_at_cantire.com
Date: 02/03/04

  • Next message: Brian Bothwell: "Re: sqwebmail web login" 
    To: bugtraq@securityfocus.com
Date: Tue, 3 Feb 2004 09:40:24 -0500

    This is actually very similar to another problem that some on BugTraq may
    be interested in. There is at least one major "Unix-based" OS (AIX) that
    in it's default configuration will provide a unique reply for a correctly
    guessed password when direct remote login is disabled for the userid in
    question. For example, the message reply for an incorrectly guessed
    password might be "Incorrect userid or password" whereas a correct guess
    would yield a message such as "Remote logins for this account are not
    allowed".

    It's an issue that I have submitted to BugTraq in the past and had rejected
    as being a known issue / not a bug / configuration issue. In my mind it is
    simply incorrect and unnecessary to advertise the fact that you have found
    the valid password for a given account, this type of information is only
    useful to an attacker. Presumably if you legitimately have access to a
    given account you will be aware that remote logins are not permitted for
    that account. I realize that even if a password is guessed for an account
    with remote logins disabled that you have to gain access to the host with
    some other method or id for this information to be of any use, but it's
    still a shortcoming with no good reason to exist and could allow privilege
    escalation in some circumstances. Spare me replies that point out that
    with a password of sufficient complexity and login delay mechanisms it
    would take inordinately long to brute-force a password in this method, I
    know. For those interested that would like related reading material, the
    paper "Brute Force Attack on UNIX Passwords with SIMD Computer" by Kedem
    and Ishihara from Usenix Security 8 is excellent, Google for it.

    I suspect that this issue may exist with many Unix-based operating systems,
    Dave Ahmad suggested that this same behaviour exists on Solaris.
    Personally I can only confirm this result on AIX 4.3.3 - AIX 5.1. I went
    so far as to open a problem ticket with IBM for AIX, if anyone else would
    like further details contact me off-list.

    SJ.

  • Next message: Brian Bothwell: "Re: sqwebmail web login"

    Relevant Pages

    • Weakness introduced by denying remote logins on AIX, possibly others
      ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
      (Security-Basics)
    • Related to: sqwebmail web login reported on BugTraq
      ... generic configuration weakness I have come across. ... this account are not allowed". ... a given account you will be aware that remote logins are not permitted for ... Personally I can only confirm this result on AIX 4.3.3 - AIX 5.1. ...
      (Security-Basics)
    • Re: SMB Connections
      ... We use active directory authentication via the 'password server =' ... The user must have an active directory account and an AIX ...
      (AIX-L)
    • Re: Multiple AD domains and MIT Kerberos
      ... We have a situation where we are trying to get AIX Kerberos to ... an account that is not in the root domain of the forest. ... domains in the forest to authenticate to the AIX machine? ...
      (comp.protocols.kerberos)
    • How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions ques
      ... In IBM's AIX there is an security option to restrict network login. ... Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, BUT keep SSH enabled. ... However in Aix v5.3 full pam support was added, and our LAM module broke and we have been unable to figure out how to get it working again. ...
      (comp.security.ssh)