From 0788fd9ae745dacc3b697cdae8534f73329bdc91 Mon Sep 17 00:00:00 2001 From: Gabriele Gristina Date: Sat, 26 Oct 2024 13:24:00 +0200 Subject: [PATCH] Fixed stack buffer overflow in PKZIP modules (17200, 17210, 17220, 17225, 17230) --- docs/changes.txt | 1 + src/modules/module_17200.c | 9 +++++++-- src/modules/module_17210.c | 9 +++++++-- src/modules/module_17220.c | 9 +++++++-- src/modules/module_17225.c | 9 +++++++-- src/modules/module_17230.c | 9 +++++++-- 6 files changed, 36 insertions(+), 10 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 283e3c0d4..e1aab3de3 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -98,6 +98,7 @@ - Fixed minimum password length in module of hash-mode 28200 - Fixed minimum password length in module of hash-mode 29800 - Fixed out-of-boundary read when a fast hash defines a kernel_loops_min value higher than the amplifiers provided by the user +- Fixed stack buffer overflow in PKZIP modules (17200, 17210, 17220, 17225, 17230) - Fixed vector datatypes usage for HIP - Fix missing check for -j and -k before writing hashcat.dictstat2 which can lead to false negatives - Handle signed/unsigned PDF permission P value for all PDF hash-modes diff --git a/src/modules/module_17200.c b/src/modules/module_17200.c index 24f77798f..2125812e2 100644 --- a/src/modules/module_17200.c +++ b/src/modules/module_17200.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -206,9 +207,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -318,6 +321,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE digest[2] = 0; digest[3] = 0; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17210.c b/src/modules/module_17210.c index 307757689..58edcf343 100644 --- a/src/modules/module_17210.c +++ b/src/modules/module_17210.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -186,9 +187,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -297,6 +300,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE digest[2] = 0; digest[3] = 0; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17220.c b/src/modules/module_17220.c index c2ac82b2c..1356cf5e5 100644 --- a/src/modules/module_17220.c +++ b/src/modules/module_17220.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -206,9 +207,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -314,6 +317,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17225.c b/src/modules/module_17225.c index 3cbf0f51b..376d77e60 100644 --- a/src/modules/module_17225.c +++ b/src/modules/module_17225.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -207,9 +208,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -315,6 +318,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17230.c b/src/modules/module_17230.c index 2b3ef24c9..2166c3f6d 100644 --- a/src/modules/module_17230.c +++ b/src/modules/module_17230.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -199,9 +200,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -308,6 +311,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); }