Heap-based Buffer Overflow in john in openwall/john

Valid

Reported on

Feb 20th 2022


Description

For PEM plugin, the length of the ciphertext is not properly checked. Then the ciphertext is copied to a fixed length buffer. Creating a ciphertext with a larger length allow a heap overflow.

Proof of Concept

Using the following file pem.hash

$ ./congigure -enable-asan; make -j4;
$ ../run/john --progress-every=1 pem.hash 
=================================================================
==99129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100002693f at pc 0x5614dda1ec7a bp 0x7fff8d6e4e30 sp 0x7fff8d6e4e20
WRITE of size 1 at 0x62100002693f thread T0
    #0 0x5614dda1ec79 in pem_get_salt /home/sylvain/software/john/src/pem_common_plug.c:132
    #1 0x5614ddb2ed43 in ldr_load_pw_line /home/sylvain/software/john/src/loader.c:1045
    #2 0x5614ddb2b83f in read_file /home/sylvain/software/john/src/loader.c:255
    #3 0x5614ddb318e0 in ldr_load_pw_file /home/sylvain/software/john/src/loader.c:1198
    #4 0x5614ddb1ff42 in john_load /home/sylvain/software/john/src/john.c:1134
    #5 0x5614ddb1ff42 in john_init /home/sylvain/software/john/src/john.c:1578
    #6 0x5614ddb1ff42 in main /home/sylvain/software/john/src/john.c:2065
    #7 0x7f8b45e820b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x5614dd5f82cd in _start (/home/sylvain/software/john/run/john+0x1ee2cd)

0x62100002693f is located 0 bytes to the right of 4159-byte region [0x621000025900,0x62100002693f)
allocated by thread T0 here:
    #0 0x7f8b466c7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x5614ddb48bcc in mem_alloc /home/sylvain/software/john/src/memory.c:92
    #2 0x5614ddb48f19 in mem_alloc_tiny /home/sylvain/software/john/src/memory.c:215
    #3 0x5614ddb48f5c in mem_calloc_tiny /home/sylvain/software/john/src/memory.c:229
    #4 0x5614dda1e6c1 in pem_get_salt /home/sylvain/software/john/src/pem_common_plug.c:107
    #5 0x5614ddb2ed43 in ldr_load_pw_line /home/sylvain/software/john/src/loader.c:1045
    #6 0x5614ddb2b83f in read_file /home/sylvain/software/john/src/loader.c:255
    #7 0x5614ddb318e0 in ldr_load_pw_file /home/sylvain/software/john/src/loader.c:1198
    #8 0x5614ddb1ff42 in john_load /home/sylvain/software/john/src/john.c:1134
    #9 0x5614ddb1ff42 in john_init /home/sylvain/software/john/src/john.c:1578
    #10 0x5614ddb1ff42 in main /home/sylvain/software/john/src/john.c:2065
    #11 0x7f8b45e820b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sylvain/software/john/src/pem_common_plug.c:132 in pem_get_salt
Shadow bytes around the buggy address:
  0x0c427fffccd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffcce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffccf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffcd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffcd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffcd20: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
  0x0c427fffcd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffcd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffcd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffcd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffcd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==99129==ABORTING

Impact

Heap overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

We are processing your report and will contact the openwall/john team within 24 hours. 3 months ago
Sylvain Pelissier modified the report
3 months ago
Sylvain Pelissier modified the report
3 months ago
We have contacted a member of the openwall/john team and are waiting to hear back 3 months ago
Solar Designer
3 months ago

Maintainer


Hi. Can you please simply create an issue on our GitHub? We've dealt with several similar bugs recently, but this one escaped our own fuzzing so far. We don't treat them as security - that would be quite pointless given the overall code unquality and number of formats each with its own parsing - see issue 5028. Thank you!

Sylvain
3 months ago

Researcher


Interesting discussion indeed, it was mainly for me to test the huntr platform. I think I can fix it myself. Feel free to drop this one.

Solar Designer
3 months ago

Maintainer


Sure, we'd appreciate a PR from you. Thank you!

Solar Designer modified the report
3 months ago
3 months ago
We have sent a follow up to the openwall/john team. We will try again in 7 days. 3 months ago
Solar Designer
3 months ago

Maintainer


Thank you for fixing this one, Sylvain. Somehow huntr doesn't let me choose you under "Who should get rewarded for the patch?" - it only lets me choose me or nobody.

Sylvain
3 months ago

Researcher


You can choose yourself.

Solar Designer
3 months ago

Maintainer


I'd rather leave the money in huntr's pool then. Thanks.

Solar Designer validated this vulnerability 3 months ago
Sylvain Pelissier has been awarded the disclosure bounty
The fix bounty is now up for grabs
Solar Designer confirmed that a fix has been merged on 75667e 3 months ago
Sylvain Pelissier has been awarded the fix bounty
Solar Designer
3 months ago

Maintainer


Sylvain, I was able to choose you now - I don't know what changed.

to join this conversation