Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <55900D86.40007@mailbox.org>
Date: Sun, 28 Jun 2015 17:06:46 +0200
From: Frank Dittrich <frank.dittrich@...lbox.org>
To: john-dev@...ts.openwall.com
Subject: Re: more robustness

On 06/28/2015 01:54 PM, Kai Zhao wrote:
>> I think more people might try out and comment on your new --fuzz option
>> if you would push your changes to (a separate branch of) your own github
>> repository and provide a link to that repository/branch.
> 
> Thanks, here is the link:
> 
> https://github.com/loverszhaokai/JohnTheRipper/tree/fuzz_option

1.

I think you should mention the --fuzz[=DICTFILE] option in the
--list=hidden-options output, if only to make the option known to john's
bash completion.
I would add it after the --stress-test[=TIME] option.


2.

I did:

(fuzz_option)src $ ./configure --disable-openmp --enable-asan

(fuzz_option)src $ make -s -j 16



(fuzz_option)src $ cd ../run

(fuzz_option)run $ ./john --fuzz --format=MSCHAPv2
Fuzzing: MSCHAPv2, C/R [MD4 DES (ESS MD5) 128/128 AVX 4x3] in UTF-8 mode...
=================================================================
==19657==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000008099ff at pc 0x0000006b88c6 bp 0x7ffd10c110d0 sp 0x7ffd10c110c0
READ of size 1 at 0x0000008099ff thread T0
    #0 0x6b88c5 in append_last_char /home/fd/git/fuzz-JtR/src/formats.c:858
    #1 0x6b92a5 in get_next_fuzz_case
/home/fd/git/fuzz-JtR/src/formats.c:1114
    #2 0x6bd2fd in fuzz_test /home/fd/git/fuzz-JtR/src/formats.c:1147
    #3 0x6a4d2e in fuzz /home/fd/git/fuzz-JtR/src/bench.c:829
    #4 0x6c995d in john_run /home/fd/git/fuzz-JtR/src/john.c:1367
    #5 0x6cae5c in main /home/fd/git/fuzz-JtR/src/john.c:1753
    #6 0x7f714bdeb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #7 0x406878 in _start (/home/fd/git/fuzz-JtR/run/john+0x406878)

0x0000008099ff is located 1 bytes to the left of global variable
'*.LC22' defined in 'ntlmv1_mschapv2_fmt_plug.c' (0x809a00) of size 1
  '*.LC22' is ascii string ''
0x0000008099ff is located 61 bytes to the right of global variable
'*.LC21' defined in 'ntlmv1_mschapv2_fmt_plug.c' (0x8099a0) of size 34
  '*.LC21' is ascii string 'MD4 DES (ESS MD5) 128/128 AVX 4x3'
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/fd/git/fuzz-JtR/src/formats.c:858 append_last_char
Shadow bytes around the buggy address:
  0x0000800f92e0: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 02 f9 f9
  0x0000800f92f0: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
  0x0000800f9300: f9 f9 f9 f9 00 00 00 00 00 00 01 f9 f9 f9 f9 f9
  0x0000800f9310: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9
  0x0000800f9320: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
=>0x0000800f9330: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9[f9]
  0x0000800f9340: 01 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
  0x0000800f9350: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800f9360: 00 03 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0000800f9370: 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x0000800f9380: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==19657==ABORTING


This looks like a buffer overflow in your fuzzer, doesn't it?
(It took almost half an hour until I got this ASan error.)


3.

(fuzz_option)run $ ./john --list=build-info
Version: 1.8.0.6-jumbo-1-bleeding_asan
Build: linux-gnu 64-bit AVX-autoconf
Time stamp: Sun Jun 28 14:02:04 2015

You could rebase your git repository on magnum's latest bleeding-jumbo.
It might have some bugs fixed, and it reports much more useful version
info than that "time stamp" (actually, the time listconf.c changed):

(bleeding-jumbo)run $ ./john --list=build-info
Version: 1.8.0.6-jumbo-1-154-g96aeffc
Build: linux-gnu 64-bit AVX-autoconf OMP

That version string tells you that my git repository is 154 commits
ahead of 1.8.0.6-jumbo, my latest commit is 96aeffc.
This is a local commit, as
$ git show 96aeffc
will tell you.
And, I have no uncommitted changes in my git repository, otherwise the
version string would be 1.8.0.6-jumbo-1-154-g96aeffc+ instead.

While a git push --force (and thus, changing history) isn't a good idea
for public repositories that are supposed to be pulled by others (e.g.,
magnum's JohnTheRipper repository or Shinnok's johnny repository, I
think it wouldn't be much of a problem for your repository, so I think
it is up to you whether you merge or rebase.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.