Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <009401d57549$728d4160$57a7c420$@dexlab.nl>
Date: Fri, 27 Sep 2019 17:37:09 +0200
From: "Vincent" <spam@...lab.nl>
To: <john-users@...ts.openwall.com>
Subject: Buffer overflow in dynamic using very long salts

Working on a dynamic format with a (very) long salt, I had some issue. Code
looks ok, but compares failed. While troubleshooting I mentioned that very
simple operations failed, e.g. hashing $s.$s. Using a slightly longer salt,
sha($s) also fails. User error and / or bug?

bofh@dev:/opt/JohnTheRipper/run$ more dynamic.conf
[List.Generic:dynamic_4001]
Expression=sha1($s) (test)
Flag=MGF_INPUT_20_BYTE
Flag=MGF_FLAT_BUFFERS
Flag=MGF_SALTED
SaltLen=260
MaxInputLen=110
MaxInputLenX86=110
Func=DynamicFunc__clean_input_full
Func=DynamicFunc__append_salt
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
Test=$dynamic_4001$37ae4b03d66a0256e6db5090aeae6d2f21356d04$abcdefghijklmnop
qrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghijklmn
opqrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghijkl
mnopqrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghijklmnopqrstuvwzyzabcdefghij
klmnopqrstuvwzyz:bogus
--More--

bofh@dev:/opt/JohnTheRipper/run$ ./john --test --format=dynamic_4001
Benchmarking: dynamic_4001 [sha1($s) (test) 256/256 AVX2 8x1]... *** buffer
overflow detected ***: ./john terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f553e77c7e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f553e81e15c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f553e81c160]
./john[0x47bb3e]
./john[0x47d6a6]
./john[0x6cbb3b]
./john[0x6ce446]
./john[0x6b1b0f]
./john[0x6c8908]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f553e725830]
./john[0x4057b9]
======= Memory map: ========
00400000-0092b000 r-xp 00000000 fc:03 55315767
/opt/JohnTheRipper/run/john
00b2a000-00b2b000 r--p 0052a000 fc:03 55315767
/opt/JohnTheRipper/run/john
00b2b000-00bb8000 rw-p 0052b000 fc:03 55315767
/opt/JohnTheRipper/run/john
00bb8000-02065000 rw-p 00000000 00:00 0
02ae8000-0478f000 rw-p 00000000 00:00 0
[heap]
7f5535942000-7f5535958000 r-xp 00000000 fc:03 21627405
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5535958000-7f5535b57000 ---p 00016000 fc:03 21627405
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5535b57000-7f5535b58000 rw-p 00015000 fc:03 21627405
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5535b58000-7f553e42d000 rw-p 00000000 00:00 0
7f553e42d000-7f553e705000 r--p 00000000 fc:03 28574761
/usr/lib/locale/locale-archive
7f553e705000-7f553e8c5000 r-xp 00000000 fc:03 21627325
/lib/x86_64-linux-gnu/libc-2.23.so
7f553e8c5000-7f553eac5000 ---p 001c0000 fc:03 21627325
/lib/x86_64-linux-gnu/libc-2.23.so
7f553eac5000-7f553eac9000 r--p 001c0000 fc:03 21627325
/lib/x86_64-linux-gnu/libc-2.23.so
7f553eac9000-7f553eacb000 rw-p 001c4000 fc:03 21627325
/lib/x86_64-linux-gnu/libc-2.23.so
7f553eacb000-7f553eacf000 rw-p 00000000 00:00 0
7f553eacf000-7f553eae7000 r-xp 00000000 fc:03 21627310
/lib/x86_64-linux-gnu/libpthread-2.23.so
7f553eae7000-7f553ece6000 ---p 00018000 fc:03 21627310
/lib/x86_64-linux-gnu/libpthread-2.23.so
7f553ece6000-7f553ece7000 r--p 00017000 fc:03 21627310
/lib/x86_64-linux-gnu/libpthread-2.23.so
7f553ece7000-7f553ece8000 rw-p 00018000 fc:03 21627310
/lib/x86_64-linux-gnu/libpthread-2.23.so
7f553ece8000-7f553ecec000 rw-p 00000000 00:00 0
7f553ecec000-7f553ed0d000 r-xp 00000000 fc:03 28575439
/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7f553ed0d000-7f553ef0c000 ---p 00021000 fc:03 28575439
/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7f553ef0c000-7f553ef0d000 r--p 00020000 fc:03 28575439
/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7f553ef0d000-7f553ef0e000 rw-p 00021000 fc:03 28575439
/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7f553ef0e000-7f553ef17000 r-xp 00000000 fc:03 21627319
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7f553ef17000-7f553f116000 ---p 00009000 fc:03 21627319
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7f553f116000-7f553f117000 r--p 00008000 fc:03 21627319
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7f553f117000-7f553f118000 rw-p 00009000 fc:03 21627319
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7f553f118000-7f553f146000 rw-p 00000000 00:00 0
7f553f146000-7f553f149000 r-xp 00000000 fc:03 21627308
/lib/x86_64-linux-gnu/libdl-2.23.so
7f553f149000-7f553f348000 ---p 00003000 fc:03 21627308
/lib/x86_64-linux-gnu/libdl-2.23.so
7f553f348000-7f553f349000 r--p 00002000 fc:03 21627308
/lib/x86_64-linux-gnu/libdl-2.23.so
7f553f349000-7f553f34a000 rw-p 00003000 fc:03 21627308
/lib/x86_64-linux-gnu/libdl-2.23.so
7f553f34a000-7f553f363000 r-xp 00000000 fc:03 21627502
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f553f363000-7f553f562000 ---p 00019000 fc:03 21627502
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f553f562000-7f553f563000 r--p 00018000 fc:03 21627502
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f553f563000-7f553f564000 rw-p 00019000 fc:03 21627502
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f553f564000-7f553f66c000 r-xp 00000000 fc:03 21627328
/lib/x86_64-linux-gnu/libm-2.23.so
7f553f66c000-7f553f86b000 ---p 00108000 fc:03 21627328
/lib/x86_64-linux-gnu/libm-2.23.so
7f553f86b000-7f553f86c000 r--p 00107000 fc:03 21627328
/lib/x86_64-linux-gnu/libm-2.23.so
7f553f86c000-7f553f86d000 rw-p 00108000 fc:03 21627328
/lib/x86_64-linux-gnu/libm-2.23.so
7f553f86d000-7f553fa88000 r-xp 00000000 fc:03 21627337
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f553fa88000-7f553fc87000 ---p 0021b000 fc:03 21627337
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f553fc87000-7f553fca3000 r--p 0021a000 fc:03 21627337
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f553fca3000-7f553fcaf000 rw-p 00236000 fc:03 21627337
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f553fcaf000-7f553fcb2000 rw-p 00000000 00:00 0
7f553fcb2000-7f553fcd8000 r-xp 00000000 fc:03 21627309
/lib/x86_64-linux-gnu/ld-2.23.so
7f553fd87000-7f553feca000 rw-p 00000000 00:00 0
7f553fed6000-7f553fed7000 rw-p 00000000 00:00 0
7f553fed7000-7f553fed8000 r--p 00025000 fc:03 21627309
/lib/x86_64-linux-gnu/ld-2.23.so
7f553fed8000-7f553fed9000 rw-p 00026000 fc:03 21627309
/lib/x86_64-linux-gnu/ld-2.23.so
7f553fed9000-7f553feda000 rw-p 00000000 00:00 0
7ffd48496000-7ffd484b7000 rw-p 00000000 00:00 0
[stack]
7ffd485b4000-7ffd485b7000 r--p 00000000 00:00 0
[vvar]
7ffd485b7000-7ffd485b9000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
bofh@dev:/opt/JohnTheRipper/run$

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.