Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 09:39:01 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Fuzzing Report on 2john tools

There are 62  2john tools, 35 tools are by python, 7 tools are by perl, 20
tools are by C. So I tested the 20 C tools, since afl only support C/C++.

Among the 20 C tools, there are 12 tools with bugs:

gpg2john
keepass2john
keyring2john
keystore2john
kwallet2john
luks2john
pwsafe2john
rar2john
ssh2john
vncpcap2john
wpapcap2john
zip2john

general bugs analysis
-----------------------------

1. buffer overflow

https://github.com/magnumripper/JohnTheRipper/pull/1312

2. heap buffer overflow

Such as, forget to check the buffer size before fread() put bytes into it.

https://github.com/magnumripper/JohnTheRipper/pull/1326
https://github.com/magnumripper/JohnTheRipper/pull/1313

3. using assert() and it leads to 'Aborted'

https://github.com/magnumripper/JohnTheRipper/pull/1318

4. others

Such as, forget to check return value of jtr_fopen().

https://github.com/magnumripper/JohnTheRipper/pull/1321


Thanks,

Kai

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ