Date: Sat, 26 Jan 2013 20:38:53 +0530 From: Dhiru Kholia <dhiru.kholia@...il.com> To: john-dev@...ts.openwall.com Subject: Re: Office format bug On Sat, Jan 26, 2013 at 7:51 PM, Dhiru Kholia <dhiru.kholia@...il.com> wrote: > On Sat, Jan 26, 2013 at 7:05 PM, magnum <john.magnum@...hmail.com> wrote: >> On 01/26/2013 01:54 PM, magnum wrote: >>> >>> According to Valgrind, the office format seem to read data from all over >>> the place. >>> >>> Benchmarking: Office 2007/2010 (SHA-1) / 2013 (SHA-512), with AES [32/64 >>> OpenSSL]... ==22939== Use of uninitialised value of size 8 >>> ==22939== at 0x510B254: _x86_64_AES_decrypt_compact (aes-x86_64.s:577) >>> ==22939== by 0x510B571: AES_decrypt (aes-x86_64.s:828) >>> ==22939== by 0x7FEFFD60F: ??? >>> ==22939== by 0x7FEFFD6AF: ??? >>> ==22939== by 0x7FEFFD74F: ??? >>> ==22939== by 0x7FEFFD487: ??? >>> ==22939== by 0x1B806F31BFF453C9: ??? >>> ==22939== by 0xD342D7A2989D9B7F: ??? >>> ==22939== by 0x9A9C13A0008FA466: ??? >>> ==22939== by 0x73F06698C26CEE8: ??? >>> ==22939== by 0x491480AF3479AF71: ??? >>> ==22939== by 0x5CD4A62CAB0D44C6: ??? >>> According to this, it reads an "uninitialized value" from mysql-netauth >>> format's buffer space... not that I get how a calloc'ed buffer can be >>> uninitialized. The above is from --test=0 under linux 64-bit, built with >>> OMP but using only one thread. > > This is a genuine problem and here is a patch to fix this. > > diff --git a/src/office_fmt_plug.c b/src/office_fmt_plug.c > index f4f9b19..7131893 100644 > --- a/src/office_fmt_plug.c > +++ b/src/office_fmt_plug.c > @@ -190,7 +190,6 @@ static int PasswordVerifier(unsigned char * key) > return 0; > } > AES_ecb_encrypt(cur_salt->encryptedVerifierHash, > decryptedVerifierHash, &akey, AES_DECRYPT); > - AES_ecb_encrypt(cur_salt->encryptedVerifierHash+16, > decryptedVerifierHash+16, &akey, AES_DECRYPT); > > /* find SHA1 hash of decryptedVerifier */ > SHA1_Init(&ctx); Same fix applies for opencl_office2007_fmt.c as well. -- Dhiru
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.