Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Sep 2011 00:19:49 +0200
From: magnum <rawsmooth@...dband.net>
To: john-dev@...ts.openwall.com
Subject: Re: MSCHAPv2 Bug

On 2011-09-26 23:29, jmk wrote:
> My MSCHAPv2 format appears to ignore entries in which the username is a
> number (e.g., 1111). I'm not really sure why this is the case, but the
> attached patch seems to correct the issue.

Lol, from a comment in pass_gen.pl it seems I wrote that down to 
Digest::SHA and worked around it (by not using numeric usernames). In 
hindsight that was a bad assumption - or let's say I trusted you :)

I see the problem. I believe the enclosed patch is more correct (and it 
adds a self-test with username of 1111 too). You were scanning the 
username for hex digits instead of line ending - I'm sure it must have 
failed for "b0b" (there actually is a bOb with capital O in the tests, 
which confused me a while) or "abe" too, for example.

magnum

View attachment "0013-j7-fix-for-MSCHAPv2-bogus-username-length-check.patch" of type "text/x-patch" (1491 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ