Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Jun 2015 18:31:52 +0200
From: Frank Dittrich <frank.dittrich@...lbox.org>
To: john-dev@...ts.openwall.com
Subject: Re: more robustness

On 06/28/2015 01:54 PM, Kai Zhao wrote:
>> I think more people might try out and comment on your new --fuzz option
>> if you would push your changes to (a separate branch of) your own github
>> repository and provide a link to that repository/branch.
> 
> Thanks, here is the link:
> 
> https://github.com/loverszhaokai/JohnTheRipper/tree/fuzz_option

(fuzz_option)run $ ./john --format=PBKDF2-HMAC-SHA1 --fuzz
Fuzzing: PBKDF2-HMAC-SHA1 [PBKDF2-SHA1 128/128 AVX 4x]...
=================================================================
==26467==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd6af53f3a at pc 0x00000044f633 bp 0x7ffd6af53bc0 sp 0x7ffd6af53bb0
WRITE of size 1 at 0x7ffd6af53f3a thread T0
    #0 0x44f632 in raw_to_hex /home/fd/git/fuzz-JtR/src/base64_convert.c:241
    #1 0x453afd in mime_to_hex
/home/fd/git/fuzz-JtR/src/base64_convert.c:686
    #2 0x45611b in base64_convert
/home/fd/git/fuzz-JtR/src/base64_convert.c:921
    #3 0x60f77d in prepare
/home/fd/git/fuzz-JtR/src/pbkdf2-hmac-sha1_fmt_plug.c:151
    #4 0x6bd370 in fuzz_test /home/fd/git/fuzz-JtR/src/formats.c:1153
    #5 0x6a4d2e in fuzz /home/fd/git/fuzz-JtR/src/bench.c:829
    #6 0x6c995d in john_run /home/fd/git/fuzz-JtR/src/john.c:1367
    #7 0x6cae5c in main /home/fd/git/fuzz-JtR/src/john.c:1753
    #8 0x7f83fc8b078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #9 0x406878 in _start (/home/fd/git/fuzz-JtR/run/john+0x406878)

Address 0x7ffd6af53f3a is located in stack of thread T0 at offset 106 in
frame
    #0 0x60f49e in prepare
/home/fd/git/fuzz-JtR/src/pbkdf2-hmac-sha1_fmt_plug.c:118

  This frame has 3 object(s):
    [32, 106) 'tmph' <== Memory access at offset 106 overflows this variable
    [160, 284) 'tmp'
    [320, 464) 'tmps'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/fd/git/fuzz-JtR/src/base64_convert.c:241 raw_to_hex
Shadow bytes around the buggy address:
  0x10002d5e2790: 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10002d5e27a0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
  0x10002d5e27b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d5e27c0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
  0x10002d5e27d0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
=>0x10002d5e27e0: 00 00 00 00 00 00 00[02]f4 f4 f2 f2 f2 f2 00 00
  0x10002d5e27f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f2 f2
  0x10002d5e2800: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d5e2810: 00 00 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
  0x10002d5e2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d5e2830: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26467==ABORTING


Is there an easy way to reproduce this problem for a bleeding-jumbo
version without the --fuzz option?

Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ