Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Apr 2013 13:26:05 +0400
From: Alexander Cherepanov <>
Subject: Re: testing all valid()s

On 2013-04-28 03:17, magnum wrote:
>>>>> 4. Strange crash (it doesn't occurs with --format):
>>>>> ./john crash_wpapsk.txt
>>>> Actually this seems to not be related to wpapsk format, john crashes
>>>> in formspring.
>>> Well, patch attached.
>> I confirm, thanks lesson learned.
> So your formspring problem is gone now? That is a surprise to me because wpapsk loads later than that. Or maybe you did not have Jim's latest fixes? If that was it, we are probably set now.

Actually it's not that suprising:
- crash doesn't happen with --format, so it's a result of formats 
- crash happens when john reads somthing with $WPAPSK$ prefix and 
changing prefix makes crash go away, so wpapsk format is the first suspect;
- valid in wpapsk calls decode_hccap which contains straightforward 
static buffer overflow ("copy essid to hccap"), so what remains is to 
check that a fix for buffer overflow cures the crash.

Why wpapsk format doesn't crash? It checkes for overly long essids and 
rejects these hashes. But it's too late and harm is done.

Why formspring format does crash? Probably its some important static 
variables are overwritten by buffer overrun in wpapsk format but I 
didn't bother to fire up debugger to check it.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.