search

openwall / john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
https://www.openwall.com/john/
Other
10.05k stars 2.08k forks source link

pkzip: memory allocation in cmp_exact with wrong/problematic size #5024

Open AlekseyCherepanov opened 2 years ago

AlekseyCherepanov commented 2 years ago

I created hashes with --fuzz-dump commenting out most of self-tests in pkzip format (for test in #5023).

It turned out that regular attack can crash when in ASan build: (local paths are replaced by ...)

$ /usr/bin/time ./run/john --format=pkzip pwfile.PKZIP
Warning: invalid UTF-8 seen reading pwfile.PKZIP
Using default input encoding: UTF-8
Loaded 1604 password hashes with 271 different salts (5.9x same-salt boost) (PKZIP [32/64])
Proceeding with single, rules:Single
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:./run/password.lst
==32496==WARNING: AddressSanitizer failed to allocate 0x68888888888 bytes
==32496==AddressSanitizer's allocator is terminating the process instead of returning 0
==32496==If you don't like this behavior set allocator_may_return_null=1
==32496==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f2fd4321fa5 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:67
    #1 0x7f2fd433cf39 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
    #2 0x7f2fd4327006 in __sanitizer::ReportAllocatorCannotReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216
    #3 0x7f2fd4327043 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:232
    #4 0x7f2fd42567e5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ../../../../src/libsanitizer/asan/asan_allocator.cc:415
    #5 0x7f2fd4255286 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:812
    #6 0x7f2fd431730b in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:87
    #7 0x556d4ccf8070 in mem_alloc .../john/src/memory.c:90
    #8 0x556d4cbf401c in cmp_exact .../john/src/pkzip_fmt_plug.c:948
    #9 0x556d4ccb537f in crk_password_loop .../john/src/cracker.c:908
    #10 0x556d4ccb6a4b in crk_salt_loop .../john/src/cracker.c:1065
    #11 0x556d4ccb70bf in process_key .../john/src/cracker.c:1148
    #12 0x556d4cd212cb in do_wordlist_crack .../john/src/wordlist.c:1349
    #13 0x556d4cc9ecff in do_wordlist_pass .../john/src/batch.c:40
    #14 0x556d4cc9ee41 in do_batch_crack .../john/src/batch.c:60
    #15 0x556d4ccd3dee in john_run .../john/src/john.c:1841
    #16 0x556d4ccd3dee in main .../john/src/john.c:2082
    #17 0x7f2fd387309a in __libc_start_main ../csu/libc-start.c:308
    #18 0x556d4c84a1f9 in _start (.../john/run/john+0x1ed1f9)

Command exited with non-zero status 1
2.94user 0.47system 0:03.61elapsed 94%CPU (0avgtext+0avgdata 617600maxresident)k
0inputs+64outputs (0major+189103minor)pagefaults 0swaps

john can catch failure of allocation:

$ ASAN_OPTIONS=allocator_may_return_null=1 ./run/john --format=pkzip pwfile.PKZIP
[...]
==1751==WARNING: AddressSanitizer failed to allocate 0x68888888888 bytes
mem_alloc(): Cannot allocate memory trying to allocate 7183475968136 bytes

Not all attacks trigger the problem:

$ ./run/john --format=pkzip pwfile.PKZIP --mask='[0-9][0-9][0-9]'
[...]
0g 0:00:00:00 N/A 0g/s 5263p/s 1426Kc/s 8147KC/s 069..999
Session completed.

So there are 2 problems:

AlekseyCherepanov commented 2 years ago

Minified crasher:

$ cat t.pw
$pkzip$1*1*2*0*14*6eeeeeeeeee*775f54d8*0*47*8*14*8cd0*11b75efed56a5795f07c509268a88b4a6ff362ef*$/pkzip$

$ ./run/john --format=pkzip t.pw --mask='3780'
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
==5836==WARNING: AddressSanitizer failed to allocate 0x6eeeeeeeeee bytes
==5836==AddressSanitizer's allocator is terminating the process instead of returning 0
==5836==If you don't like this behavior set allocator_may_return_null=1
==5836==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216 "((0)) != (0)" (0x0, 0x0)
    #0 0x7ff20f812fa5 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:67
    #1 0x7ff20f82df39 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
    #2 0x7ff20f818006 in __sanitizer::ReportAllocatorCannotReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216
    #3 0x7ff20f818043 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:232
    #4 0x7ff20f7477e5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ../../../../src/libsanitizer/asan/asan_allocator.cc:415
    #5 0x7ff20f746286 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:812
    #6 0x7ff20f80830b in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:87
    #7 0x5583634eb070 in mem_alloc /home/user/john/src/memory.c:90
    #8 0x5583633e701c in cmp_exact /home/user/john/src/pkzip_fmt_plug.c:948
    #9 0x5583634a7b04 in crk_password_loop /home/user/john/src/cracker.c:908
    #10 0x5583634a9a4b in crk_salt_loop /home/user/john/src/cracker.c:1065
    #11 0x5583634aaeff in crk_done /home/user/john/src/cracker.c:1321
    #12 0x5583634e9194 in mask_done /home/user/john/src/mask.c:2512
    #13 0x5583634c7451 in john_run /home/user/john/src/john.c:1844
    #14 0x5583634c7451 in main /home/user/john/src/john.c:2082
    #15 0x7ff20ed6409a in __libc_start_main ../csu/libc-start.c:308
    #16 0x55836303d1f9 in _start (/home/user/john/run/john+0x1ed1f9)
AlekseyCherepanov commented 2 years ago

Original password "test" would trigger the problem in cmp_exact too for the minified crasher. So fuzzer could be improved without adding excessive hashing.