Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Jun 2015 13:50:36 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: poor man's fuzzer

Kai, all -

I felt that Kai didn't try hard enough to trigger crashes in hash
encoding parsing and such.  I expected to hear of many more crashes on
invalid salt encodings that I actually did.  Maybe much of this was
discussed in GitHub issues only, though?

Anyway, not being familiar with afl and for us to have a sanity-check
for our uses of afl, I went ahead and wrote the attached simple fuzzer.

In just a few minutes, it found segfaults in vtp and pbkdf2-hmac-md5,
and a "Floating point exception" (possibly actually overflow on integer
division or similar) in django-scrypt.  I still have it running
(currently on super as a test, but should move it elsewhere, if we
revise it to attempt more things).

Another curious detail is that I couldn't get it to use more than ~4 CPU
cores on average, not even with hundreds of simultaneous processes,
until I moved the "run" directory for john to /dev/shm (tmpfs).  I guess
I was bumping into some lock congesion in the kernel, possibly e.g. for
atime updates of john and john.conf.  (If so, remounting the filesystem
with noatime should probably have helped.  I didn't try yet.)  So I am
currently running it in /dev/shm/fuzz, which is a bit risky - in case
the system gets rebooted, work will be lost.  I should revise the script
to write its log and sample files into a directory different than one it
invokes john from.

Anyway, this is it for now.  My goal was to show to Kai that there's
more work on this, and I think I achieved it.

The crashers so far:

$ cat fuzz-sample-*
scrypt$NBGmaGIXijJW$148$$1$64$achPt01SbytSt+F3CcCFgEPr96+/j9iCTdejFdAARZ8mzfejrP64TJ5XBJa3gYwuCKOEGlw2E/lWCWS7LeS6CA==
scrypt$NBGmaGIXijJW$14$$81$64$achPt01SbytSt+F3CcCFgEPr96+/j9iCTdejFdAARZ8mzfejrP64TJ5XBJa3gYwuCKOEGlw2E/lWCWS7LeS6CA==
scrypt$NBGmaGIXijJW$14$81$$64$achPt01SbytSt+F3CcCFgEPr96+/j9iCTdejFdAARZ8mzfejrP64TJ5XBJa3gYwuCKOEGlw2E/lWCWS7LeS6CA==
scrypt$NBGmaGIXijJW$14$8$$164$achPt01SbytSt+F3CcCFgEPr96+/j9iCTdejFdAARZ8mzfejrP64TJ5XBJa3gYwuCKOEGlw2E/lWCWS7LeS6CA==
scrypt$Cj0PzdtT3qS2$148$$1$64$qn4CDnM8CcIBNrpQXHo6ti8vSUoSXj7GBFy7k1bp5wPs8jKjh/gHZ+qM9uk6LbcVHm02yBaI5WCbDm/Shq/MXA==
scrypt$Cj0PzdtT3qS2$14$$81$64$qn4CDnM8CcIBNrpQXHo6ti8vSUoSXj7GBFy7k1bp5wPs8jKjh/gHZ+qM9uk6LbcVHm02yBaI5WCbDm/Shq/MXA==
scrypt$Cj0PzdtT3qS2$14$81$$64$qn4CDnM8CcIBNrpQXHo6ti8vSUoSXj7GBFy7k1bp5wPs8jKjh/gHZ+qM9uk6LbcVHm02yBaI5WCbDm/Shq/MXA==
scrypt$Cj0PzdtT3qS2$14$8$$164$qn4CDnM8CcIBNrpQXHo6ti8vSUoSXj7GBFy7k1bp5wPs8jKjh/gHZ+qM9uk6LbcVHm02yBaI5WCbDm/Shq/MXA==
$pbkdf2-hmac-md5$19salt$f31afb6d931392daa5e3130f47f9a9b6
$vtp$2$196$14000107000105dc000186a164656661756c740014000105000505dc000186a56368656e6100000010000103000605dc000186a6666666001800020c03ea05dc00018a8a666464692d64656661756c743000030d03eb117800018a8b74726372662d64656661756c7400000001010ccc040103ed0701000208010007090100072000040f03ec05dc00018a8c666464696e65742d64656661756c7400030100012400050d03ed117800018a8d74726272662d64656661756c740000000201000f03010002$80$0201019c646f6d61696e313233343536000000000000000000000000000000000000000000000015000000003134313030393134333631376010913064949d6f47a53b2ad68ef06b0000000106010002$6010913064949d6f47a53b2ad68ef06b
$vtp$2$196$14000107000105dc000186a164656661756c740014000105000505dc000186a56368656e6100000010000103000605dc000186a6666666001800020c03ea05dc00018a8a666464692d64656661756c743000030d03eb117800018a8b74726372662d64656661756c7400000001010ccc040103ed0701000208010007090100072000040f03ec05dc00018a8c666464696e65742d64656661756c7400030100012400050d03ed117800018a8d74726272662d64656661756c740000000201000f03010002$80$020101c0646f6d61696e313233343536000000000000000000000000000000000000000000000015000000003134313030393134333631376010913064949d6f47a53b2ad68ef06b0000000106010002$6010913064949d6f47a53b2ad68ef06b
$vtp$1$184$14000107000105dc000186a164656661756c740014000105000505dc000186a568656c6c6f0000002000020c03ea05dc00018a8a666464692d64656661756c7401010000040100002800031203eb05dc00018a8b746f6b656e2d72696e672d64656661756c74000001010000040100002400040f03ec05dc00018a8c666464696e65742d64656661756c740002010000030100012400050d03ed05dc00018a8d74726e65742d64656661756c740000000201000003010002$77$0101019c646f6d61696e313233343536000000000000000000000000000000000000000000000010000000003134313030393134313432372212dd93025abc600281d74ddda8a21c0101000200$2212dd93025abc600281d74ddda8a21c
$vtp$1$184$14000107000105dc000186a164656661756c740014000105000505dc000186a568656c6c6f0000002000020c03ea05dc00018a8a666464692d64656661756c7401010000040100002800031203eb05dc00018a8b746f6b656e2d72696e672d64656661756c74000001010000040100002400040f03ec05dc00018a8c666464696e65742d64656661756c740002010000030100012400050d03ed05dc00018a8d74726e65742d64656661756c740000000201000003010002$77$010101c0646f6d61696e313233343536000000000000000000000000000000000000000000000010000000003134313030393134313432372212dd93025abc600281d74ddda8a21c0101000200$2212dd93025abc600281d74ddda8a21c

Alexander

View attachment "fuzz.pl" of type "text/plain" (2077 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.