john-users - Trivial bug (or dangerous feature)

[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Feb 2010 15:36:30 +0100
From: "Magnum, P.I." <rawsmooth@...dband.net>
To: john-users@...ts.openwall.com
Subject: Trivial bug (or dangerous feature)

I just got bitten by a bug, or feature, in JtR. Having lots of sessions 
that I start/stop during testing, I decided to start using session names 
equal to the filename to crack. That is,

$ john --session=test.sam -single --pot=test.sam.pot test.sam

What happened was it loaded the contents of test.sam into memory, then 
it created a recovery file NOT named test.sam.rec as I expected, but 
just test.sam - overwriting the hash file. It then cracked the hashes 
and deleted the file (well it was already destroyed anyway). It just 
made me chuckle this time but I think it could be a really bad thing for 
someone, some day :-)

I did locate the responsible code in recovery.c, *rec_name_complete() 
but I'm not gonna show you my complete lack of coding skills trying to 
submit a patch. Obviously it just checks for any dot in the name and 
then assumes it has an extension of .rec

FWIW I also used --pot=test.sam.pot - in that case it was more obvious 
to me I should include the extension in the name. To be really friendly, 
there could be tests stopping any overwriting of any hash or wordlist 
file but I think that's overkill. Replacing that check for a dot with a 
check for an actual extension of .rec will suffice just fine in my opinion.

cheers
MPI