Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 May 2015 22:00:07 +0200
From: Marek Wrzosek <>
Subject: Re: Using loopback with regex could cause crash

W dniu 25.05.2015 o 19:33, Marek Wrzosek pisze:
> Dnia 25 maja 2015 18:52:10 CEST, magnum <> napisaƂ(a):
>> On 2015-05-25 18:38, Marek Wrzosek wrote:
>>> Hi
>>> If john.pot contains e.g. "." and john is started with --loopback
>>> --rules=none --regex=case=alpha:case="\0" (--regex="\0" doesn't crash
>>> with the same john.pot) then this could happen:
>>> buf=[sS][eE][xX][iI][sS]
>>> buf=0
>>> buf=[jJ]
>>> buf=[mM]
>>> buf=[pP]
>>> buf=2
>>> buf=9
>>> buf=[bB]
>>> buf=[cC]
>>> buf=[dD]
>>> buf=[lL]
>>> buf=[gG]
>>> buf=[wW]
>>> buf=.
>>> error: syntax error, unexpected $end
>>> Error, invalid regex expression.  John exiting now  base_word=. 
>> Regex= .
>>> I think that forbidden characters should be escaped with \ or in []
>>> brackets, don't you think? First would require changing john, but
>> latter
>>> maybe only changing regex_alphabets.conf e.g. by adding ".=[.]" line.
>> I believe escaping would significantly hurt performance. Not sure if 
>> there's any alternative though. For uses like this it would be nice to 
>> be able to give some "best effort" flag to librexgen so it doesn't
>> fail.
>> The wordlist+rexgen mode is very experimental (that "buf=" output is 
>> even a debug print). JimF lost faith in librexgen when the API changed 
>> without notice, and hasn't touched it since. Maybe we should drop the 
>> support for it for now (while keeping the standalone regex mode).
>> magnum
> This functionality is on early stage so this debug print is very helpful. 
> I though to put escaping some characters using alphabet's file. Will it hurt the performance then?
> Furthermore librexgen is not enabled by default, so maybe we should keep it that way for now (standalone and wordlist mode).
> In default build there is Mask mode which is very similar to regex but regex will be more powerful in the future. 
Maybe will be good to create an "empty" alphabet for regex that will be
consisted of e.g. escaped characters that will cause troubles if they're
"free" and then hard-code this "empty" alphabet and use it to
prepopulate in case of using some real alphabet from file. This should
be faster than checking every character and then escaping it "by hand"
if it occurred to be bad.
Marek Wrzosek

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.