so the solution is that if the passwd length is 8, then test if a blank password works… using an action:
dscl . -authonly <username> ""
Don’t do this if length is 1, because then it would probably create the problem
The exit code was 10 on a system where root was NOT blank. I assume the exit code is 0 on a system where root is blank.
You got there first this time … I’m literally looking at the “echo $?, 10” lines right now. 
So I have heard some things about systems other than bigfix that suggests to me that this could affect bigfix’s use of shell stuff on the mac since bigfix runs as root. I don’t think this is the case, but I’m less confident in that now since I haven’t tested this well.
It should be possible to tell if the root exploit was done to a machine by checking that the number of iterations is 1 for the password expansion. The problem is that it is a string of data that is a plist within another file, so it would be very hard to decode using relevance directly.