Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Sep 2011 00:56:28 +0200
From: magnum <rawsmooth@...dband.net>
To: john-dev@...ts.openwall.com
Subject: Re: MSCHAPv2 Bug

On 2011-09-28 00:29, jmk wrote:
> On Tue, 2011-09-27 at 00:19 +0200, magnum wrote:
>> I see the problem. I believe the enclosed patch is more correct (and it
>> adds a self-test with username of 1111 too). You were scanning the
>> username for hex digits instead of line ending - I'm sure it must have
>> failed for "b0b" (there actually is a bOb with capital O in the tests,
>> which confused me a while) or "abe" too, for example.
>
> This patch makes sense. Should I post this to the wiki for it to make
> its way into the jumbo patch?

Actually I already did :)

I also had a quick check at your other formats (since I don't assume 
things anymore, lol) but did not find any similar bug - however I 
noticed you rejected usernames (used as salts) with 8-bit characters in 
NETLMv2 and NETNTLMv2. That may have been barely appropriate at the time 
you wrote it but I felt it had to be changed now, with encodings and 
stuff. So I posted a patch for that too.

Thank you!
magnum

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ