Date: Thu, 19 Mar 2015 04:21:23 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: Extend AFL to fuzz as you want On 2015-03-18 15:35, Frank Dittrich wrote: > On 03/18/2015 01:12 PM, Alexander Cherepanov wrote: >> I think this is a general question to be discussed in john-dev, not >> limited by the needs of fuzzing or security in general. Talking >> specifically about fuzzing, when you want to fuzz functions behind the >> valid() it's easier to patch this specific check out of valid() for now. > > But isn't the purpose of valid() to make sure all the other format > methods only have to work with sane/sanitized input? > Why should we care about segfaults etc. that would only occur after you > removed some of the sanity checks in valid? That's an interesting question. Short answer: we should care about it because such a crash could be due to a genuine bug. But it very much depends on a particular hash/valid()/get_salt()/etc. Surely, there are not many chances that removing random parts of valid() function will lead to interesting crashes. But this particular check ("strlen(p) != len * 2") is quite interesting. If we remove it we should hit a bug that the value of len is not bound. At least I think it's a bug. With this check in place the hash itself have to be very long to overflow array data[BIG_ENOUGH]. BIG_ENOUGH is defined as (8192 * 32) which is greater than max line size accepted by john. It's not documented how big should be BIG_ENOUGH and that it depends on max line size. Changing one of them in future could lead to a condition for buffer overflow. There are other strange things in 7z format, e.g. salt field is not used. -- Alexander Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.