diff --git a/docs/changes.txt b/docs/changes.txt index 1938cbed3..fb006f9cc 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -105,6 +105,7 @@ - Fixed minimum password length in module of hash-mode 28200 - Fixed minimum password length in module of hash-mode 29800 - Fixed out-of-boundary read when a fast hash defines a kernel_loops_min value higher than the amplifiers provided by the user +- Fixed stack buffer overflow in PKZIP modules (17200, 17210, 17220, 17225, 17230) - Fixed vector datatypes usage for HIP - Fix missing check for -j and -k before writing hashcat.dictstat2 which can lead to false negatives - Handle signed/unsigned PDF permission P value for all PDF hash-modes diff --git a/src/modules/module_17200.c b/src/modules/module_17200.c index 5cde1ed63..84fd6af85 100644 --- a/src/modules/module_17200.c +++ b/src/modules/module_17200.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -218,9 +219,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -330,6 +333,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE digest[2] = 0; digest[3] = 0; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17210.c b/src/modules/module_17210.c index 568f75842..050ca05d1 100644 --- a/src/modules/module_17210.c +++ b/src/modules/module_17210.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -186,9 +187,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -297,6 +300,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE digest[2] = 0; digest[3] = 0; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17220.c b/src/modules/module_17220.c index 8131b1ea9..56c34d255 100644 --- a/src/modules/module_17220.c +++ b/src/modules/module_17220.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -218,9 +219,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -326,6 +329,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17225.c b/src/modules/module_17225.c index e693b5aba..6b6fac8fd 100644 --- a/src/modules/module_17225.c +++ b/src/modules/module_17225.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -219,9 +220,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -327,6 +330,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); } diff --git a/src/modules/module_17230.c b/src/modules/module_17230.c index 93cfc30c7..fd285f5b9 100644 --- a/src/modules/module_17230.c +++ b/src/modules/module_17230.c @@ -91,6 +91,7 @@ Related publication: https://scitepress.org/PublicationsDetail.aspx?ID=KLPzPqStp #include "bitops.h" #include "convert.h" #include "shared.h" +#include "memory.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; static const u32 DGST_POS0 = 0; @@ -199,9 +200,11 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 *digest = (u32 *) digest_buf; - char input[line_len + 1]; + char *input = (char *) hcmalloc (line_len + 1); + if (!input) return PARSER_HAVE_ERRNO; + + memcpy (input, line_buf, line_len); input[line_len] = '\0'; - memcpy (&input, line_buf, line_len); char *saveptr = NULL; @@ -308,6 +311,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = pkzip->hash_count << 2; + hcfree (input); + return (PARSER_OK); }