Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 04 May 2013 11:26:22 +0400
From: Alexander Cherepanov <>
Subject: Re: Yet more crashes

On 2013-05-03 01:47, jfoug wrote:
> Dynamic cannot be 'fixed' to be crash proof.  Since any user can create any
> format, bad or not, there is simply no way, unless dynamic checked every
> byte written, each time, which would cripple the format.
> I could chase my tail forever, fixing specifically formatted purposeful
> garbage, only to have the format still be just as open as it is today.
> Anyone can create a dynamic script that crashes.   Here is an example, there
> are infinite number of these ;)

What you talk about is also an interesting problem but it's completely 
different problem. configs are trusted content. When john crashes on a 
config with user's changes that's the question of convenience. It would 
be nice for john to emit a user-friendly warning in this case instead of 
a crash but it's not very important.

OTOH hashes are untrusted content. They are coming from outside, usually 
in some automated way. And user doesn't control lengths of various 
fields -- s/he doesn't even look at them, right? Even if s/he  looks at 
them, s/he doesn't know limits for various parts of a hash in john. One 
can think of a forensic researcher / pentester as a predator hunting a 
defenceless prey but the situation can easily be turned upside down -- 
cf. anti-forensics / counter-forensics.

Crashes are not only DoS on john but some of them are indications of 
expoitable vulnerabilities leading to code execution. I've not yet 
sorted them out though.

But don't take me wrong -- I'm not implying in any way that you must fix 
all crashes in dynamic, that someone else must do something else in john 
or that all crashes must be fixed before release.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.