Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 1 Jun 2015 12:56:36 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Fuzzing Report on external mode

On Mon, Jun 01, 2015 at 05:17:00PM +0800, Kai Zhao wrote:
> https://github.com/magnumripper/JohnTheRipper/issues/1363
> 
> The diff of config is: (first is original, second is fuzzed)
> 
> 2,3c2,3
> < # A variation of KnownForce configured to try all the 385641000 possible
> < # auto-generated passwords of DokuWiki versions up to at least 2013-05-10.
> ---
> > # Ae
> > # -10.
> 59c59
> < charset[ofs + i++] = c++;
> ---
> > charset[ofs + i++] = C++;

Oh, it's this loop:

		while (c <= '9')
			charset[ofs + i++] = C++;

Obviously, it won't terminate until i gets sufficiently out of range to
cause misbehavior of the VM (usually a segfault).

I think we're done with external mode fuzzing for now.  I am planning to
document these shortcomings in doc/EXTERNAL.  The only unexpected issue
is already patched.

Thanks!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ