Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 May 2015 18:52:10 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Using loopback with regex could cause crash

On 2015-05-25 18:38, Marek Wrzosek wrote:
> Hi
>
> If john.pot contains e.g. "." and john is started with --loopback
> --rules=none --regex=case=alpha:case="\0" (--regex="\0" doesn't crash
> with the same john.pot) then this could happen:
>
> buf=[sS][eE][xX][iI][sS]
> buf=0
> buf=[jJ]
> buf=[mM]
> buf=[pP]
> buf=2
> buf=9
> buf=[bB]
> buf=[cC]
> buf=[dD]
> buf=[lL]
> buf=[gG]
> buf=[wW]
> buf=.
> error: syntax error, unexpected $end
> Error, invalid regex expression.  John exiting now  base_word=.  Regex= .
>
> I think that forbidden characters should be escaped with \ or in []
> brackets, don't you think? First would require changing john, but latter
> maybe only changing regex_alphabets.conf e.g. by adding ".=[.]" line.

I believe escaping would significantly hurt performance. Not sure if 
there's any alternative though. For uses like this it would be nice to 
be able to give some "best effort" flag to librexgen so it doesn't fail.

The wordlist+rexgen mode is very experimental (that "buf=" output is 
even a debug print). JimF lost faith in librexgen when the API changed 
without notice, and hasn't touched it since. Maybe we should drop the 
support for it for now (while keeping the standalone regex mode).

magnum


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.