Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Dec 2012 17:53:38 +0100
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: New self-test for maximum length (was: Formats dmg, encfs and strip crash on longer passwords)

On 28 Dec, 2012, at 17:56 , Frank Dittrich <frank_dittrich@...mail.com> wrote:
> All three formats claim to support a maximum password length of 32, but
> if you try to use a word list with longer passwords, they all segfault
> (at least on my 32bit Linux system).
> 
> 
> $ ./john encfs --wordlist=test-p
> Loaded 4 password hashes with 4 different salts (EncFS PBKDF2 AES /
> Blowfish [32/32])
> Segmentation fault (core dumped)

I just threw this in with devastating results:

commit f49d2c56531de71da2a03c0e28c8bc939cce376b
Author: magnum <john.magnum@...hmail.com>
Date:   Sat Dec 29 17:25:46 2012 +0100

    formats.c: Add a self-test that puts maximum length candidates in all
    buffer positions and then read them back to verify. This finds incorrect
    claims of PLAINTEXT_SIZE as well as most kinds of key buffer over-runs.
    It found 15 problematic formats right away.


I have no idea why I did not get the idea long ago. Unlike the "valid() killer" test that is only active with -DDEBUG, this one doesn't seem prone to segfault so it's always active. This is the current results on my 64-bit machine:

$ make -sj8 macosx-x86-64 && ../run/john -t=0 | grep FAIL
ld: warning: option -s is obsolete and being ignored
Benchmarking: dynamic_1011 md5($p.md5($s)) (WebEdition CMS) [128/128 SSE2 intrinsics 10x4x3]... FAILED (get_hash[0](9))
Benchmarking: dynamic_1012 md5($p.md5($s)) (WebEdition CMS) [128/128 SSE2 intrinsics 10x4x3]... FAILED (get_hash[0](9))
Benchmarking: dynamic_1013 md5($p.PMD5(username)) (WebEdition CMS) [128/128 SSE2 intrinsics 10x4x3]... FAILED (get_hash[0](9))
Benchmarking: Lotus Notes/Domino 6 More Secure Internet Password [8/64]... FAILED (max. length in index 0: wrote 64, got 63 back)
Benchmarking: EPiServer SID salted SHA-1 [32/64]... FAILED (max. length in index 0: wrote 124, got 123 back)
Benchmarking: Kerberos v4 TGT DES [32/64]... FAILED (max. length in index 0: wrote 32, got 31 back)
Benchmarking: IKE PSK HMAC-MD5 / HMAC-SHA1 [32/64]... FAILED (max. length in index 0: wrote 32, got 8 back)
Benchmarking: Oracle 11g SHA-1 [128/128 SSE2 intrinsics 8x]... FAILED (get_hash[0](0))
Benchmarking: PKZIP [32/64]... FAILED (max. length in index 0: wrote 31, got 30 back)
Benchmarking: RAdmin v2.x MD5 [32/64]... FAILED (max. length in index 0: wrote 99, got 98 back)
Benchmarking: Raw MD4 [128/128 SSE2 intrinsics 12x]... FAILED (max. length in index 0: wrote 55, got 23 back)
Benchmarking: SAP CODVN B (BCODE) [128/128 SSE2 intrinsics 12x]... FAILED (max. length in index 0: wrote 8, got 0 back)
Benchmarking: TrueCrypt [RIPEMD160 AES256_XTS]... FAILED (max. length in index 0: wrote 31, got 496 back)
Benchmarking: TrueCrypt [SHA512 AES256_XTS]... FAILED (max. length in index 0: wrote 31, got 496 back)
Benchmarking: TrueCrypt [WHIRLPOOL AES256_XTS]... FAILED (max. length in index 0: wrote 31, got 496 back)
15 out of 198 tests have FAILED


All these are probably real bugs. As you can see, some formats do not get any error within the new test but later - this indicates worse problems than just fence post errors.

I will start looking into raw-md4 and sapB (because they might be my fault). Any other volunteers please post here before starting to debug a format, so we avoid double work.

magnum

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ