Fixed a parser error in multiple modes not checking for return code, resulting in negative memory index writes

2024-11-02 05:30:19 +00:00 · 2017-09-04 15:53:13 +02:00 · 2017-09-04 15:53:13 +02:00 · 0dfe015301
commit 0dfe015301
parent 8b0e7087c7
2 changed files with 40 additions and 3 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -30,6 +30,7 @@
 - Fixed an integer overflow in masks not skipped when loaded from file
 - Fixed an integer overflow in hash buffer size calculation
 - Fixed a parser error for mode -m 9820 = MS Office <= 2003 $3, SHA1 + RC4, collider #2
+- Fixed a parser error in multiple modes not checking for return code, resulting in negative memory index writes
 - Fixed a problem with changed current working directory, for instance by using --restore together with --remove
 - Fixed a problem with the conversion to the $HEX[] format: convert/hexify also all passwords of the format $HEX[]
 - Fixed the calculation of device_name_chksum; should be done for each iteration
--- a/src/interface.c
+++ b/src/interface.c
@ -2975,6 +2975,8 @@ int netscreen_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  // max. salt length: 55 (max for MD5) - 22 (":Administration Tools:") - 1 (0x80) = 32
  // 32 - 4 bytes (to fit w0lr for all attack modes) = 28

@ -3913,6 +3915,8 @@ int md5s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSE

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > 64) return (PARSER_SALT_LENGTH);

  salt->salt_len = salt_len;
@ -4704,6 +4708,8 @@ int ipb2_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSE

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > 64) return (PARSER_SALT_LENGTH);

  salt->salt_len = salt_len;
@ -4868,6 +4874,8 @@ int sha1sha1_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_U

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt->salt_len = salt_len;

  return (PARSER_OK);
@ -8101,7 +8109,9 @@ int opencart_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_U

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

-  if ((salt_len != 9) || (salt_len == UINT_MAX)) return (PARSER_SALT_LENGTH);
+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
+  if (salt_len != 9) return (PARSER_SALT_LENGTH);

  salt->salt_len = salt_len;

@ -10296,6 +10306,8 @@ int redmine_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UN

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len != 32) return (PARSER_SALT_LENGTH);

  salt->salt_len = salt_len;
@ -10335,6 +10347,8 @@ int punbb_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUS

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_buf, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len != 12) return (PARSER_SALT_LENGTH);

  salt->salt_len = salt_len;
@ -11247,6 +11261,8 @@ int pbkdf2_sha256_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MA

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > (64 - 8)) return (PARSER_SALT_LENGTH);

  salt_buf_ptr[salt_len + 3] = 0x01;
@ -11385,6 +11401,8 @@ int postgresql_auth_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf,

  user_len = parse_and_store_salt (salt_buf_ptr + 4, user_pos, user_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt->salt_len = 4 + user_len;

  return (PARSER_OK);
@ -11442,6 +11460,8 @@ int mysql_auth_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt->salt_len = salt_len;

  return (PARSER_OK);
@ -11589,6 +11609,8 @@ int bitcoin_wallet_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, M

  const u32 salt_len = parse_and_store_salt (salt_buf_ptr, cry_salt_buf_pos, cry_salt_buf_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt->salt_len = salt_len;

  return (PARSER_OK);
@ -12386,6 +12408,8 @@ int pbkdf2_md5_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > (64 - 8)) return (PARSER_SALT_LENGTH);

  salt_buf_ptr[salt_len + 3] = 0x01;
@ -12468,6 +12492,8 @@ int pbkdf2_sha1_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYB

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > (64 - 8)) return (PARSER_SALT_LENGTH);

  salt_buf_ptr[salt_len + 3] = 0x01;
@ -12555,6 +12581,8 @@ int pbkdf2_sha512_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MA

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len > (128 - 16)) return (PARSER_SALT_LENGTH);

  salt_buf_ptr[salt_len + 3] = 0x01;
@ -14796,6 +14824,8 @@ int itunes_backup_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MA

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt->salt_len = salt_len;

  // dpsl
@ -15161,6 +15191,8 @@ int atlassian_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_

  u32 salt_len = parse_and_store_salt (salt_buf_ptr, tmp_buf, 16, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  if (salt_len != 16) return (PARSER_SALT_LENGTH);

  salt_buf_ptr[salt_len + 3] = 0x01;
@ -15428,6 +15460,8 @@ int ethereum_pbkdf2_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf,

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  salt_buf_ptr[salt_len + 3] = 0x01;
  salt_buf_ptr[salt_len + 4] = 0x80;

@ -15566,6 +15600,8 @@ int ethereum_scrypt_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf,

  salt_len = parse_and_store_salt (salt_buf_ptr, salt_pos, salt_len, hashconfig);

+  if (salt_len == UINT_MAX) return (PARSER_SALT_LENGTH);
+
  // salt

  salt->salt_buf[0] = ethereum_scrypt->salt_buf[0];
@ -16438,7 +16474,7 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le
      memcpy (ptr, tmp, salt_len);
    }

-    u32 memset_size = ((48 - (int) salt_len) > 0) ? (48 - salt_len) : 0;
+    u32 memset_size = ((SALT_MAX - (int) salt_len) > 0) ? (SALT_MAX - salt_len) : 0;

    memset (ptr + salt_len, 0, memset_size);

@ -16459,7 +16495,7 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le
  char tmp_buf[1024] = { 0 };

  char *ptr_plain = (char *) out_buf_plain;
-  u8 *ptr_salt  = (u8 *) out_buf_salt;
+  u8   *ptr_salt  = (u8 *)   out_buf_salt;

  if (hash_mode == 22)
  {