This is actually very similar to another problem that some on BugTraq may be interested in. There is at least one major "Unix-based" OS (AIX) that in it's default configuration will provide a unique reply for a correctly guessed password when direct remote login is disabled for the userid in question. For example, the message reply for an incorrectly guessed password might be "Incorrect userid or password" whereas a correct guess would yield a message such as "Remote logins for this account are not allowed". It's an issue that I have submitted to BugTraq in the past and had rejected as being a known issue / not a bug / configuration issue. In my mind it is simply incorrect and unnecessary to advertise the fact that you have found the valid password for a given account, this type of information is only useful to an attacker. Presumably if you legitimately have access to a given account you will be aware that remote logins are not permitted for that account. I realize that even if a password is guessed for an account with remote logins disabled that you have to gain access to the host with some other method or id for this information to be of any use, but it's still a shortcoming with no good reason to exist and could allow privilege escalation in some circumstances. Spare me replies that point out that with a password of sufficient complexity and login delay mechanisms it would take inordinately long to brute-force a password in this method, I know. For those interested that would like related reading material, the paper "Brute Force Attack on UNIX Passwords with SIMD Computer" by Kedem and Ishihara from Usenix Security 8 is excellent, Google for it. I suspect that this issue may exist with many Unix-based operating systems, Dave Ahmad suggested that this same behaviour exists on Solaris. Personally I can only confirm this result on AIX 4.3.3 - AIX 5.1. I went so far as to open a problem ticket with IBM for AIX, if anyone else would like further details contact me off-list. SJ.
