Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAC4WxJ6rkdGnT2q5HJA+jBLC=s+f5dUww_=mi_wPeXi7KKD-Pw@mail.gmail.com>
Date: Wed, 1 Aug 2012 13:14:25 +0200
From: Guth <guth@...posor.com>
To: john-users@...ts.openwall.com
Subject: Wordlist memory corruption - 1.7.9-jumbo-6

Hi,
It seems that jtr segfault/corrupt memory on wordlist attacks under some
circonstances:

guth[run]$ ./john
John the Ripper password cracker, ver: 1.7.9-jumbo-6 [linux-x86-64-native]

guth[run]$ echo test:$(echo -n 'whatever, Crak me If you can.' | md5sum
|cut -c -32) > testfile.hash
guth[run]$ cat testfile.hash
test:f74a21cbdce75195e6ce7fe4c9dd2281
guth[run]$ echo 'whatever, Crak me If you can.' >dicOK.txt
guth[run]$ ./john testfile.hash --format=raw-md5 -w=dicOK.txt
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
whatever, Crak me If you can. (test)
guesses: 1  time: 0:00:00:00 DONE (Wed Aug  1 11:56:04 2012)  c/s: 50.00
 trying: whatever, Crak me If you can.
guth[run]$ ./john testfile.hash --format=raw-md5 -w=dicKO-rev.txt
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
guesses: 0  time: 0:00:00:00 DONE (Wed Aug  1 11:57:51 2012)  c/s: 500
 trying: tset - enodllew
guth[run]$ cat dicKO-rev.txt
tset
2tset
3t
éhéh
enodllew

./john testfile.hash --format=raw-md5 -w=polish_rev
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
Segmentation fault

guth[run]$ head -1 polish_rev >polish_rev_1
guth[run]$ head -2 polish_rev >polish_rev_2

guth[run]$ cat polish_rev_1
zciwonakaba
guth[run]$ cat -e polish_rev_1
^Mzciwonakaba$
guth[run]$ cat polish_rev_2
zciwonakaba
ruzaba
guth[run]$ cat -e polish_rev_2
^Mzciwonakaba$
^Mruzaba$

guth[run]$ ./john testfile.hash --format=raw-md5 -w=polish_rev_1
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
guesses: 0  time: 0:00:00:00 DONE (Wed Aug  1 12:08:43 2012)  c/s: 200
 trying:  - zciwonakaba


guth[run]$ ./john testfile.hash --format=raw-md5 -w=polish_rev_2
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
*** glibc detected *** ./john: malloc(): memory corruption:
0x00000000008603b0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7a25b)[0x7f3ba9f9025b]
/lib64/libc.so.6(__libc_malloc+0x6e)[0x7f3ba9f927ce]
/lib64/libc.so.6(fdopen+0x127)[0x7f3ba9f7d967]
./john[0x4b8fb4]
./john[0x4c25e2]
./john[0x4b2b74]
./john[0x4b30cf]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f3ba9f34e5d]
./john[0x404729]
======= Memory map: ========
00400000-00524000 r-xp 00000000 08:01 579681
/test/john-1.7.9-jumbo-6/run/john
00724000-00745000 rw-p 00124000 08:01 579681
/test/john-1.7.9-jumbo-6/run/john
00745000-008f6000 rw-p 00000000 00:00 0
 [heap]
7f3ba4000000-7f3ba4021000 rw-p 00000000 00:00 0
7f3ba4021000-7f3ba8000000 ---p 00000000 00:00 0
7f3ba9d01000-7f3ba9d16000 r-xp 00000000 08:01 135476
/usr/lib64/libgcc_s.so.1
7f3ba9d16000-7f3ba9f15000 ---p 00015000 08:01 135476
/usr/lib64/libgcc_s.so.1
7f3ba9f15000-7f3ba9f16000 rw-p 00014000 08:01 135476
/usr/lib64/libgcc_s.so.1
7f3ba9f16000-7f3baa0b1000 r-xp 00000000 08:01 392513
/lib64/libc-2.13.so
7f3baa0b1000-7f3baa2b1000 ---p 0019b000 08:01 392513
/lib64/libc-2.13.so
7f3baa2b1000-7f3baa2b5000 r--p 0019b000 08:01 392513
/lib64/libc-2.13.so
7f3baa2b5000-7f3baa2b6000 rw-p 0019f000 08:01 392513
/lib64/libc-2.13.so
7f3baa2b6000-7f3baa2bc000 rw-p 00000000 00:00 0
7f3baa2bc000-7f3baa2be000 r-xp 00000000 08:01 392518
/lib64/libdl-2.13.so
7f3baa2be000-7f3baa4be000 ---p 00002000 08:01 392518
/lib64/libdl-2.13.so
7f3baa4be000-7f3baa4bf000 r--p 00002000 08:01 392518
/lib64/libdl-2.13.so
7f3baa4bf000-7f3baa4c0000 rw-p 00003000 08:01 392518
/lib64/libdl-2.13.so
7f3baa4c0000-7f3baa4c9000 r-xp 00000000 08:01 392516
/lib64/libcrypt-2.13.so
7f3baa4c9000-7f3baa6c9000 ---p 00009000 08:01 392516
/lib64/libcrypt-2.13.so
7f3baa6c9000-7f3baa6ca000 r--p 00009000 08:01 392516
/lib64/libcrypt-2.13.so
7f3baa6ca000-7f3baa6cb000 rw-p 0000a000 08:01 392516
/lib64/libcrypt-2.13.so
7f3baa6cb000-7f3baa6f9000 rw-p 00000000 00:00 0
7f3baa6f9000-7f3baa70f000 r-xp 00000000 08:01 153945
/usr/lib64/libz.so.1.2.5
7f3baa70f000-7f3baa90e000 ---p 00016000 08:01 153945
/usr/lib64/libz.so.1.2.5
7f3baa90e000-7f3baa90f000 rw-p 00015000 08:01 153945
/usr/lib64/libz.so.1.2.5
7f3baa90f000-7f3baa993000 r-xp 00000000 08:01 392519
/lib64/libm-2.13.so
7f3baa993000-7f3baab92000 ---p 00084000 08:01 392519
/lib64/libm-2.13.so
7f3baab92000-7f3baab93000 r--p 00083000 08:01 392519
/lib64/libm-2.13.so
7f3baab93000-7f3baab94000 rw-p 00084000 08:01 392519
/lib64/libm-2.13.so
7f3baab94000-7f3baacf5000 r-xp 00000000 08:01 434555
/lib64/libcrypto.so.0.9.8
7f3baacf5000-7f3baaef5000 ---p 00161000 08:01 434555
/lib64/libcrypto.so.0.9.8
7f3baaef5000-7f3baaf1a000 rw-p 00161000 08:01 434555
/lib64/libcrypto.so.0.9.8
7f3baaf1a000-7f3baaf1e000 rw-p 00000000 00:00 0
7f3baaf1e000-7f3baaf6b000 r-xp 00000000 08:01 434556
/lib64/libssl.so.0.9.8
7f3baaf6b000-7f3bab16a000 ---p 0004d000 08:01 434556
/lib64/libssl.so.0.9.8
7f3bab16a000-7f3bab171000 rw-p 0004c000 08:01 434556
/lib64/libssl.so.0.9.8
7f3bab171000-7f3bab192000 r-xp 00000000 08:01 392569
/lib64/ld-2.13.so
7f3bab361000-7f3bab366000 rw-p 00000000 00:00 0
7f3bab38e000-7f3bab391000 rw-p 00000000 00:00 0
7f3bab391000-7f3bab392000 r--p 00020000 08:01 392569
/lib64/ld-2.13.so
7f3bab392000-7f3bab394000 rw-p 00021000 08:01 392569
/lib64/ld-2.13.so
7fffd5288000-7fffd52a9000 rw-p 00000000 00:00 0
 [stack]
7fffd53d7000-7fffd53d8000 r-xp 00000000 00:00 0
 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
 [vsyscall]
Abandon


gcc --version
gcc (GCC) 4.5.2

problem is triggered on rec_init(db, save_state); (called from wordlist.c):
void rec_init(struct db_main *db, void (*save_mode)(FILE *file))
{
fprintf(stderr, "debug rec_init open OK\n");
        rec_done(1);

        if (!rec_argc) return;

        rec_name_complete();

        if ((rec_fd = open(path_expand(rec_name), O_RDWR | O_CREAT, 0600))
< 0)
                pexit("open: %s", path_expand(rec_name));
        rec_lock();
fprintf(stderr, "debug rec_init fdopen(%x)\n", rec_fd);
        if (!(rec_file = fdopen(rec_fd, "w"))) pexit("fdopen");
fprintf(stderr, "debug rec_init after fdopen OK\n");
        rec_db = db;
        rec_save_mode = save_mode;
}



guth[run]$ ./john testfile.hash --format=raw-md5 -w=polish_rev_2
Loaded 1 password hash (Raw MD5 [128/128 AVX intrinsics 8x])
debug Started init_this_time OK
debug init_this_time - before rec_init OK
debug rec_init open OK
debug rec_init before fdopen OK
debug rec_init fdopen(7)
*** glibc detected *** ./john: malloc(): memory corruption:
0x00000000008f33b0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7a25b)[0x7f32f7bee25b]
/lib64/libc.so.6(__libc_malloc+0x6e)[0x7f32f7bf07ce]
/lib64/libc.so.6(fdopen+0x127)[0x7f32f7bdb967]

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.