Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 23 Mar 2015 19:11:12 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Bug found by AFL fuzzing androidfde format

Hi, I am going to describe the bug found by AFL fuzzing androidfde_format.
I would appreciate it if you have some advice on fuzzing john.

1. Reproduce

1.1 john commit:

https://github.com/magnumripper/JohnTheRipper/tree/a4d2d1f3b4dd626c8efe5b3f4cd38238a12c6344

1.2 procedure

$ cat input

$fde$16$04b36d4290b56e0fcca9778b74719ab8$16*b45f0f051f13f84872d1
ef1abe0ada59$0f61d28f7466c0435040cc845a67e6734500de15df3ba6f48d
2534ca2a7b8f910d7547357e8f1ec7364bab41383f5df9b5fb43fcd4a1e06189
ce3c6ba77ec908b066e73a508e201c941fb409e9abdc051c3c052a735b01e5
6be61efa635e82cbceab18db1ba645b93f7befb83155852f0004a7c7d6800e9
fa5f0d3c133dd2496f92110c3cdcfb16dcf57df8de830969e18514a34d4917de
14597da19f9f7dc81eca2d7d461c91e0a8aeac06bafe89866d24f2b4991b429
5b6277d0ff4ad97f1fa58e20f8a24e2062f84c318eb36cfbb4671117bc3522afc
f7737353589cae0dce0d7c3341f457af654543758f3f005bd4d68fa2b35777cb
2ea5f8f69c4debcfb1d8b2a601320e4f8621dc6e99434007388bdc0ceebc722
f9ed44cbce3914bf144db332276e719f6b48108cde55916d861d19dc8c03ac7
6a2dad322457073111e441488228f13649073aa3aadfab51dadf89a0827acb
a284154a9e18d926facef43852a0733660a1fbcca8e81d2f41efd9f645a61f939
5b75fc7ad446885d304808d511f2ba2e7c6138588c4292aee4ef6f2537bb00c7
b015cee4a91d2defa87b67abc1315e71f0489e271673b36412377219e93aba6
af3cfd504bf3f6bc24f2b6148536339d91ddd2f013314544650c1c11e7317028a
7014909d0c850f78692e476c4f57da586fe26786504130aba22ba5261b989ae
b47483d8cb9d5052120a4e5690b5b0cd009aadaadc351db7b6a230ebc1fa77
1651cb64d78daa56b7a6c6808db3b688afee9b7edaa617d8cb16ac72904659
87bd443ea41ce38aa14e0c88874fb2707394b83679de82134efe351b4d021c6
3b2992a8314b2e93908906400628a7f753c9a4d85e917a207561b7840ce121
800fab4026508d1b00fe8e7e756573743e11380f76f6bb7c0e528cb98875e6ad
88bff51236601e6942964e37ffe0316b1a1f7bc0d84334fa024bf03c261bd06a07
c01f099ad23fb9a1d8c98447463b8988cb33f3e1fb7d7a7c547f9a6d51cf7b7564
9d3c8cb5bf93be79eba1a961659b5fe928a1c7e80aca857825c6bc11493cb230
e66126ef7b7284abe0823b5735bb1dfe844029f175c63442ca774784b775ecf02
e48d029ac0f236813be91aca66905640666b89bd08118e3c18c75764bc49d00d
1fe53ee92ccaa487852c613cba91f637b6de06dcaa1953a7cfb5333df573273a6
7f0157b63fbbf48c48f16c423caefaf29cdb5d34b19ac0f57b972b9e5ff1bc5cf25b
dcdf8d29fb75865c4501458f19bfd64c844fd52a27feec97dc31ba922aea757064
04d853071707d0c6001c59664676be6426ca5c7efbfc09ffa9acac91441f9175fd
3148fb046c31a49d7c7ad10bf3c4b413dd148666b72b5a533f600cb02d7623270
e5d1ad33355dd318d06aa8b3d7517cb7d5be40d222a026380cfbf5b79014e763
1d677b07bcd805d9ea7103cf1d057bf883b29fb99b064c4e3cb4271596a74895c
1c3f7c7c49d2be54b1435af4440ecd019dde11cee14a320712c9275bef339a15d
3a18d9f38918d7af0a50a35199980429d74d4cc2a16dea619619a7c19827f4f78
d3ebaf13340abf6717cec6bff8399b067fb17f11cdb1f9909c51253f7466ee76954
6d1d96319bcc1b04a6b1f8d8068f96b959d507c9004d75717792733fadb7a94a2
d5db514a61cbd90eef89d1ace5a3138120168d62f1ebef5efbbd4e7f7e987834db
81fe8c4877f3edcc71c61e96b20ca26c5a91e28fa11e484c1dcbfd5a0461065fe52f
042ee9a09687d800c90a0a792f3dbe257965247f8eecd122b9b234b734454fa14
77212a0295a347ae44463de4de405bf4fd91cde400b63d7fced6d7ccd20d79a48
99139a79085f8742c3dfe7fbadca56c4e8aa95ce7841ad9675659349f6671d047e
fa0951feb9c61381f5f9e39182c1ec0a3ebd2ef5e036312c6ed6a0e59777813229f
fdac771788e609c7d9f96848f63b428789c55e85c509068df8d5a0a7fc066be8c76
205860d86d6c5bb7c2bc85a922a2ad86e6a791fe238420eedd1cf7ac770dd8316
ca30c9577441a34873cdf0c5dc2103457a93fa0dd42da5eb2d6f82e9ff47b4bb6cd
1d3fcba5645caace577a89c7bd70ff432f8dae113a7877a41a41043dac4c0d21860
ad8198a1b9640d979322a20d4b90caa77a5d2b31c5bd06e

$ ./john input
Segmentation fault

2. AFL Fuzzing

2.1 procedure

$ pwd

open_wall/JohnTheRipper_fuzz_valid/run/valid_test

$ ll

out/
test_cases/

$ ls test_cases

7z_fmt   fmt_1    fmt_114  fmt_13   fmt_145  fmt_160  fmt_176  fmt_191
 fmt_26
fmt_41  fmt_57  fmt_72  fmt_88  AFS_fmt  fmt_10   fmt_115  fmt_130  fmt_146

fmt_161  fmt_177  fmt_192  fmt_27  fmt_42  fmt_58  fmt_73  fmt_89
agilekeychain_fmt    fmt_100  fmt_116  fmt_131  fmt_147  fmt_162  fmt_178
fmt_193  fmt_28  fmt_43  fmt_59  fmt_74  fmt_9  aix_smd5_fmt  fmt_101
 fmt_117
fmt_132  fmt_148  fmt_163  fmt_179  fmt_194  fmt_29  fmt_44  fmt_6   fmt_75
 fmt_90
aix_ssha_fmt  fmt_102  fmt_118  fmt_133  fmt_149  fmt_164  fmt_18   fmt_195
 fmt_3
fmt_45  fmt_60  fmt_76  fmt_91  androidfed_fmt   fmt_103  fmt_119  fmt_134
 fmt_15
fmt_165  fmt_180  fmt_196  fmt_30  fmt_46  fmt_61  fmt_77  fmt_92   asaMD5_fmt

fmt_104  fmt_12   fmt_135  fmt_150  fmt_166  fmt_181  fmt_197  fmt_31
 fmt_47  fmt_62
fmt_78  fmt_93  BFEgg_fmt   fmt_105  fmt_120  fmt_136  fmt_151  fmt_167
 fmt_182
fmt_198  fmt_32  fmt_48  fmt_63  fmt_79  fmt_94   bitcoin_fmt  fmt_106
 fmt_121  fmt_137
fmt_152  fmt_168  fmt_183  fmt_199  fmt_33  fmt_49  fmt_64  fmt_8   fmt_95
blackberry_ES10_fmt  fmt_107  fmt_122  fmt_138  fmt_153  fmt_169  fmt_184
 fmt_2
fmt_34  fmt_5   fmt_65  fmt_80  fmt_96  blockchain_fmt  fmt_108  fmt_123
 fmt_139
fmt_154  fmt_17   fmt_185  fmt_20   fmt_35  fmt_50  fmt_66  fmt_81
fmt_97  chap_fmt

fmt_109  fmt_124  fmt_14   fmt_155  fmt_170  fmt_186  fmt_200  fmt_36
 fmt_51  fmt_67
fmt_82  fmt_98  citrix_ns_fmt  fmt_11   fmt_125  fmt_140  fmt_156  fmt_171
 fmt_187
fmt_21   fmt_37  fmt_52  fmt_68  fmt_83  fmt_99  clipperz_srp_fmt
fmt_110  fmt_126
fmt_141  fmt_157  fmt_172  fmt_188  fmt_22   fmt_38  fmt_53  fmt_69  fmt_84
 cloudchain_fmt
fmt_111  fmt_127  fmt_142  fmt_158  fmt_173  fmt_189  fmt_23   fmt_39
 fmt_54  fmt_7   fmt_85
cq_fmt  fmt_112  fmt_128  fmt_143  fmt_159  fmt_174  fmt_19   fmt_24
fmt_4   fmt_55  fmt_70
fmt_86  crc32_fmt  fmt_113  fmt_129  fmt_144  fmt_16   fmt_175  fmt_190
 fmt_25   fmt_40
fmt_56  fmt_71  fmt_87

$ cat test_cases/androidfde_fmt

$fde$16$04b36d4290b56e0fcca9778b74719ab8$16$b45f0f051f13f84872d1
ef1abe0ada59$0f61d28f7466c0435040cc845a67e6734500de15df3ba6f48d2
534ca2a7b8f910d7547357e8f1ec7364bab41383f5df9b5fb43fcd4a1e06189ce
3c6ba77ec908b066e73a508e201c941fb409e9abdc051c3c052a735b01e56be
61efa635e82cbceab18db1ba645b93f7befb83155852f0004a7c7d6800e9fa5f0
d3c133dd2496f92110c3cdcfb16dcf57df8de830969e18514a34d4917de14597
da19f9f7dc81eca2d7d461c91e0a8aeac06bafe89866d24f2b4991b4295b6277
d0ff4ad97f1fa58e20f8a24e2062f84c318eb36cfbb4671117bc3522afcf773735
3589cae0dce0d7c3341f457af654543758f3f005bd4d68fa2b35777cb2ea5f8f6
9c4debcfb1d8b2a601320e4f8621dc6e99434007388bdc0ceebc722f9ed44cb
ce3914bf144db332276e719f6b48108cde55916d861d19dc8c03ac76a2dad32
2457073111e441488228f13649073aa3aadfab51dadf89a0827acba284154a9
e18d926facef43852a0733660a1fbcca8e81d2f41efd9f645a61f9395b75fc7ad4
46885d304808d511f2ba2e7c6138588c4292aee4ef6f2537bb00c7b015cee4a9
1d2defa87b67abc1315e71f0489e271673b36412377219e93aba6af3cfd504bf3
f6bc24f2b6148536339d91ddd2f013314544650c1c11e7317028a7014909d0c8
50f78692e476c4f57da586fe26786504130aba22ba5261b989aeb47483d8cb9d
5052120a4e5690b5b0cd009aadaadc351db7b6a230ebc1fa771651cb64d78da
a56b7a6c6808db3b688afee9b7edaa617d8cb16ac7290465987bd443ea41ce3
8aa14e0c88874fb2707394b83679de82134efe351b4d021c63b2992a8314b2e9
3908906400628a7f753c9a4d85e917a207561b7840ce121800fab4026508d1b0
0fe8e7e756573743e11380f76f6bb7c0e528cb98875e6ad88bff51236601e69429
64e37ffe0316b1a1f7bc0d84334fa024bf03c261bd06a07c01f099ad23fb9a1d8c9
8447463b8988cb33f3e1fb7d7a7c547f9a6d51cf7b75649d3c8cb5bf93be79eba1
a961659b5fe928a1c7e80aca857825c6bc11493cb230e66126ef7b7284abe0823
b5735bb1dfe844029f175c63442ca774784b775ecf02e48d029ac0f236813be91a
ca66905640666b89bd08118e3c18c75764bc49d00d1fe53ee92ccaa487852c613
cba91f637b6de06dcaa1953a7cfb5333df573273a67f0157b63fbbf48c48f16c423c
aefaf29cdb5d34b19ac0f57b972b9e5ff1bc5cf25bdcdf8d29fb75865c4501458f19b
fd64c844fd52a27feec97dc31ba922aea75706404d853071707d0c6001c5966467
6be6426ca5c7efbfc09ffa9acac91441f9175fd3148fb046c31a49d7c7ad10bf3c4b4
13dd148666b72b5a533f600cb02d7623270e5d1ad33355dd318d06aa8b3d7517c
b7d5be40d222a026380cfbf5b79014e7631d677b07bcd805d9ea7103cf1d057bf88
3b29fb99b064c4e3cb4271596a74895c1c3f7c7c49d2be54b1435af4440ecd019dd
e11cee14a320712c9275bef339a15d3a18d9f38918d7af0a50a35199980429d74d4
cc2a16dea619619a7c19827f4f78d3ebaf13340abf6717cec6bff8399b067fb17f11cd
b1f9909c51253f7466ee769546d1d96319bcc1b04a6b1f8d8068f96b959d507c9004
d75717792733fadb7a94a2d5db514a61cbd90eef89d1ace5a3138120168d62f1ebe
f5efbbd4e7f7e987834db81fe8c4877f3edcc71c61e96b20ca26c5a91e28fa11e484c
1dcbfd5a0461065fe52f042ee9a09687d800c90a0a792f3dbe257965247f8eecd122
b9b234b734454fa1477212a0295a347ae44463de4de405bf4fd91cde400b63d7fced
6d7ccd20d79a4899139a79085f8742c3dfe7fbadca56c4e8aa95ce7841ad96756593
49f6671d047efa0951feb9c61381f5f9e39182c1ec0a3ebd2ef5e036312c6ed6a0e59
777813229ffdac771788e609c7d9f96848f63b428789c55e85c509068df8d5a0a7fc0
66be8c76205860d86d6c5bb7c2bc85a922a2ad86e6a791fe238420eedd1cf7ac770d
d8316ca30c9577441a34873cdf0c5dc2103457a93fa0dd42da5eb2d6f82e9ff47b4bb6
cd1d3fcba5645caace577a89c7bd70ff432f8dae113a7877a41a41043dac4c0d21860a
d8198a1b9640d979322a20d4b90caa77a5d2b31c5bd06e

$ afl-fuzz -m none -t 1500+ -i test_cases/ -o out ../john @@ --nolog
--max-run-time=1  --skip-self-test

2.2 status screen of AFL

american fuzzy lop 1.55b (john)

┌─ process timing ──────────────────────┬─ overall results ─  ─┐
│        run time : 5 days, 3 hrs, 59 min, 50 sec               │  cycles
done  : 0      │
│   last new path : 0 days, 0 hrs, 8 min, 5 sec                │  total
paths    : 1279│
│ last uniq crash : 2 days, 6 hrs, 32 min, 5 sec              │ uniq
crashes : 1      │
│  last uniq hang : 0 days, 11 hrs, 8 min, 8 sec              │   uniq
hangs  : 7      │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────┤
│  now processing : 10 (0.78%)                                │    map
density   : 11.3k (17.18%)        │
│ paths timed out : 0 (0.00%)                                   │ count
coverage : 1.95 bits/tuple          │
├─ stage progress ────────────────────┼─ findings in depth ───────────┤
│  now trying : bitflip 2/1                                            │
favored paths  : 434 (33.93%)           │
│ stage execs : 1014/21.7k (4.67%)                         │  new edges on
: 550 (43.00%)           │
│ total execs : 853k                                                   │
total crashes   : 1 (1 unique)             │
│  exec speed : 1.89/sec (zzzz...)                             │   total
hangs    : 32 (7 unique)           │
├─ fuzzing strategy yields ───────────┴───┬─ path geometry ──┤
│   bit flips : 160/80.5k, 31/58.8k, 31/58.8k              │    levels   :
2             │
│  byte flips : 0/7351, 0/2990, 0/3212                      │   pending :
1270       │
│ arithmetics : 29/157k, 0/2175, 0/0                        │  pend fav :
429         │
│  known ints : 13/17.7k, 3/110k, 1/160k                 │ own finds : 1062
      │
│  dictionary : 0/0, 0/0, 7/60.4k                                │
 imported : n/a          │
│       havoc : 773/113k, 0/0                                     │
 variable  : 0             │
│        trim : 0.16%/4902, 60.74%
 ├────────────────────────┘
└─────────────────────────────────────────────────────┘
[cpu:154%]


Thanks for your time,

Kai

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.