Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 May 2006 22:06:49 +0200
From: "Frank Dittrich" <frank_dittrich@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: john --format=NT segfaults when using wrong password file forma

Solar Designer wrote:
>On Tue, May 09, 2006 at 08:14:46PM +0200, Frank Dittrich wrote:
> > symbols found)...(no debugging symbols found)...(no debugging symbols
> > found)...
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x08061709 in MD4_Final ()
> > gdb>bt
> > #0  0x08061709 in MD4_Final ()
> > #1  0xbfffeb5c in ?? ()
>
>I'm afraid that this is not useful at all.  You'd need to rebuild with
>debugging symbols (-g) and with frame pointers (drop -fomit-frame-pointer)
>for the backtrace to be useful.
>  It is obvious that the crash is _not_
>in MD4_Final() and that the function was _not_ called from a location on
>the stack.

You are right. I tried to do that, even wanted to switch off optimization,
but somehow failed to built john with the jumbo patch and the adjusted
CFLAGS settings.
A version with just the NT patch applied and
CFLAGS = -c -Wall -g
shows:

(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4009cc36 in strncpy () from /lib/i686/libc.so.6
gdb>bt
#0  0x4009cc36 in strncpy () from /lib/i686/libc.so.6
#1  0x0805ba9f in strcpy ()
#2  0x0805c8c8 in strcpy ()
#3  0x0805b4a7 in strcpy ()
#4  0x0805cccb in strcpy ()
#5  0x0805ac7e in strcpy ()
#6  0x0805af14 in strcpy ()
#7  0x0805b1e8 in strcpy ()
#8  0x400414c2 in __libc_start_main () from /lib/i686/libc.so.6

Obviously I was still missing something, otherwise I should
have found ldr_split_line in the backtrace.

The offending strncpy is in the patched loader.c

@@ -206,10 +207,27 @@
                if (!strncmp(*ciphertext, "NO PASSWORD", 11))
                        *ciphertext = "";

+                /* NT loader hack starts here ! */
+
+                if (options.format && (strncmp(options.format, "nt", 
2)==0)) {
+
+                        tmp = ldr_get_field(&line);
+                        *ciphertext = tmp;
+
+                        if (!strncmp(*ciphertext, "NO PASSWORD", 11))
+                                *ciphertext = "";
+                        else {
+                                *ciphertext -= 4;
+                                strncpy(*ciphertext,"$NT$",4);
+                        }
+                }
+
+                /* NT loader hack ends here ! */
+

This one fails:
                                strncpy(*ciphertext,"$NT$",4);


So the error seems to be caused by adjusting the ciphertext
without verifying whether the format is valid or not.
At least it indicates that the issue doesn't affect other
hash algorithms, unless they mess with john's default way
of doing things.


Regards, Frank


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ