Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5068D549.8050300@mccme.ru>
Date: Mon, 01 Oct 2012 03:27:05 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Static analysis of John using Coverity

On 2012-09-19 20:44, jfoug wrote:
> I am going to add these to the wiki, as known crashed.

Thanks!

> It will be 'linked'
> on the wish list page, but I will simply create a full page for this.  Post
> more (unique ones), 

I don't think that different unique crashers are interesting in many
cases. In most cases valid() is almost absent and get_salt() will crash
on every step, overfull all buffers etc. Crashers which looks like a tag
plus several zeros usually point to such cases.

But there are accurate formats (like salted-sha1) where crashes are
results of bugs, sometimes subtle bugs.

> that you know cause a format to pass valid, but are not
> valid, and cause crashes, buffer over flows, etc.

Ok, here are several more:

$WoWSRP$0000000000000000000000000000000000000000000000000000000000000000$0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*
$mskrb5$$$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
{SSHA}========================================
$o5logon$0000

And now several variations which crash *2john programs or pass through
them and then crash john:

----------------------------------------------------------------------
agilekeychain

$ mkdir -p data/default
$ printf '{"list": [{"identifier": "", "level": "", "data":
"%010000d\u0000", "validation": "\u0000", "iterations": 0}]}' >
data/default/encryptionKeys.js
$ ../run/agilekc2john.py . > agilekeychain.john
$ ../run/john agilekeychain.john
Loaded 1 password hash (1Password Agile Keychain PBKDF2-HMAC-SHA-1 AES
[32/64])
Segmentation fault

----------------------------------------------------------------------
dmg

$ make dmg2john

$ perl -C0 -e 'print pack "a*x48Q>", "encrcdsa", -1' > test.dmg
$ ../run/dmg2john test.dmg
Segmentation fault

$ perl -C0 -e 'print pack "a*x48Q>x44Nx136", "encrcdsa", 4097, -1' >
test.dmg
$ ../run/dmg2john test.dmg > dmg.john
$ ../run/john dmg.john
Segmentation fault

----------------------------------------------------------------------
encfs

$ echo
'<root><keySize>a</keySize><kdfIterations>a</kdfIterations><name>a</name><saltData>AAAA</saltData><saltLen>10000</saltLen><encodedKeySize>a</encodedKeySize><encodedKeyData>AAAA</encodedKeyData></root>'
> .encfs6.xml
$ ../run/encfs2john.py . > encfs.john
$ ../run/john encfs.john
Segmentation fault

----------------------------------------------------------------------
ike

$ perl -le 'print(("0" x 6000 . "*") x 10)' > test.ike
$ ../run/ikescan2john.py test.ike > ike.john
$ ../run/john ike.john
Segmentation fault

----------------------------------------------------------------------
keepass

$ perl -C0 -e 'print pack "V3Cv", 0x9AA2D903, 0xB54BFB67, 0, 6, 0' >
test.keepass
$ ../run/keepass2john test.keepass
Segmentation fault

$ perl -C0 -e 'print pack "V3CvQCva32", 0x9AA2D903, 0xB54BFB67, 0, 6, 8,
-1, 0, 0' > test.keepass
$ ../run/keepass2john test.keepass > keepass.john
$ ../run/john keepass.john
Segmentation fault

----------------------------------------------------------------------
keyring

$ gcc -Wall keyring2john.c -o ../run/keyring2john

$ perl -C0 -e 'print pack "a*x4Na10000", "GnomeKeyring\n\r\0\n", 10000'
> test.keyring
$ ../run/keyring2john test.keyring
Segmentation fault

----------------------------------------------------------------------
krb5-18

$ perl -le 'printf "\@%s\n18,%s", "x" x 300, "0" x 64' > test.kdcdump
$ ../run/kdcdump2john.py test.kdcdump > krb5-18.john
$ ../run/john krb5-18.john
Loaded 1 password hash (KRB5 aes256-cts-hmac-sha1-96 [32/64])
Segmentation fault

----------------------------------------------------------------------
pbkdf2-hmac-sha512

$ perl -e 'print
"<plist><dict><key>SALTED-SHA512-PBKDF2</key><dict><key>entropy</key><data>"
. "A" x 256 . "</data><key>salt</key><data>" . "A" x 1000 .
"</data><key>iterations</key><integer>1</integer></dict></dict></plist>"' >
salt.tmp
$ (echo -n '<plist><dict><key>ShadowHashData</key><array><data>'; plutil
-i salt.tmp | base64; echo -n '</data></array></dict></plist>') > hash.tmp
$ plutil -i hash.tmp > test.plist
$ ../run/ml2john.py test.plist > ml.john
$ ../run/john ml.john
Loaded 1 password hash (GRUB2 / OS X 10.8 pbkdf2-hmac-sha512
[PBKDF2-SHA512 CPU])
Segmentation fault

----------------------------------------------------------------------
pkzip

$ perl -C0 -e 'print pack "Vx22va10000", 0x04034b50, -1' > test.zip
$ ../run/zip2john test.zip
Error, in fread of file data!
Segmentation fault

----------------------------------------------------------------------
racf

$ perl -le 'print "A" x 100, " x x x"' > test.cracf
$ ../run/cracf2john.py test.cracf > racf.john
$ ../run/john racf.john
Loaded 1 password hash (RACF DES [32/64])
Segmentation fault

----------------------------------------------------------------------
salted-sha1

$ echo -e 'uid: a\nuserPassword:
{SSHA}========================================\n\n' > test.ldif
$ ../run/ldif2john.pl test.ldif > ssha.john
$ ../run/john ssha.john
Segmentation fault

----------------------------------------------------------------------
wpapsk

$  for i in $(seq 0 255); do perl -C0 -e "print chr($i) x 0x188" >
test.hccap; ../run/hccap2john test.hccap; done > hccap.john
$ ../run/john hccap.john
Segmentation fault

  Exact hash on which john crashes depends on details of the build etc.

----------------------------------------------------------------------

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.