Date: Mon, 1 Jun 2015 17:17:00 +0800 From: Kai Zhao <loverszhao@...il.com> To: john-dev@...ts.openwall.com Subject: Re: Fuzzing Report on external mode Hi Alexander, > Oh, just why aren't you moving to a faster hash by now, after I provided > this advice to you a week ago or so? I recommend that you use the dummy > format for your fuzzing. e.g.: > > $dummy$64756d6d79 Thanks. > These 3 are crashes in op_index, which suggests out of bounds array > access. However, I don't immediately see a bug like this fuzzed into > the external mode programs. Do you? Can you please post diffs of them > from their original versions? The original and fuzzed configs are in the attachments. https://github.com/magnumripper/JohnTheRipper/issues/1358 The diff of config is: ( array size 32 is original, 12 is fuzzed) 39c39 < int boundaries_symbols; --- > int boundaries_symbols; https://github.com/magnumripper/JohnTheRipper/issues/1360 The diff of config is: (first line is original, second line is fuzzed) 79c79 < boundaries_numbers[i++] = 1932735284; boundaries_numbers[i++] = 2147483647; --- > boundaries_numbers[i++] = 193273=284; boundaries_numbers[i++] = 2147483647; https://github.com/magnumripper/JohnTheRipper/issues/1363 The diff of config is: (first is original, second is fuzzed) 2,3c2,3 < # A variation of KnownForce configured to try all the 385641000 possible < # auto-generated passwords of DokuWiki versions up to at least 2013-05-10. --- > # Ae > # -10. 59c59 < charset[ofs + i++] = c++; --- > charset[ofs + i++] = C++; > Your guess is that this is the same kind of issue that you found and I > patched recently, so you're suggesting that we change the initial sp > from &c_stack to &c_stack. I think you're probably wrong, but > have you tried? Does it help? Yes, you are right. Change to &c_stack can not solve this problem. Thanks, Kai Content of type "text/html" skipped Download attachment "awepasswordgenerator_original.conf" of type "application/octet-stream" (9493 bytes) Download attachment "awepasswordgenerator_fuzzing_1358.conf" of type "application/octet-stream" (9493 bytes) Download attachment "awepasswordgenerator_fuzzing_1360.conf" of type "application/octet-stream" (9493 bytes) Download attachment "dokuwiki_original.conf" of type "application/octet-stream" (2354 bytes) Download attachment "dokuwiki_fuzzing_1363.conf" of type "application/octet-stream" (2218 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.