Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 20:12:13 +0200
From: magnum <>
Subject: Re: Even more mscash & mscash2 fixes

On 2011-06-15 22:44, magnum wrote:
> Just posted john-1.7.7-jumbo-6-more-mscash-fixes.diff.gz to the wiki, 
> with the following for mscash & mscash2:
> * 8-bit self-tests for normal mode as well as --utf8, also including 
> nullstring and max length of salt [see below]
> * Lowercasing of salts
> * Unicode length check of salt and reject in valid() if too long
> * (mscash2 only) Replaced a binary salt_len check in set_salt() that 
> lacked error handling and caused crashes (apart from being redundant)

Yet another incremental patch is posted now, that hopefully finally 
fixes all remaining 8-bit issues in mscash2. Finally, we have this 
format in test suite (not yet released) so I could hammer it with all I had.

Now, *all* formats that I'm aware of using Unicode internally passes all 
nasty tests I throw at them. Many of the bugs that has been fixed has 
nothing to do with my --utf8 support, I just found them because of it.

I also threw in the Blowfish fix recently posted by Solar, that also 
affected 8-bit characters. Salute the Test Suite. Most other non-Unicode 
formats already passed all the 8-bit tests.

> Still, there is a major problem in mscash2: As far as I can tell, the 
> maximum supported salt length is supposed to be 19 characters. Unless 
> my generator script is to blame, John fails to crack any hash with a 
> salt longer than 8 characters. The self-test I included with saltlen 
> 19 is currently commented out. Unless this is fixed, the max length 
> check in valid() should be really be decreased from 19 to 8.

I haven't disabled saltlen >8 but the above still stands, mscash2 can 
only handle salts (=usernames) up to eight characters - which 
disqualifies the Administrator account, just as a random example...

Haven't heard from S3nf so I'm hoping Jim can nail it. You lose me as 
soon as you reverse steps.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.