Classic Buffer Overflow in john in openwall/john

Valid

Reported on

Feb 20th 2022


Description

For 1Password Cloud Keychain plugin, the length of inputs are not properly checked. Then inputs are copied to fixed length buffers. For example, creating a salt with a larger length allow a buffer overflow.

Proof of Concept

Using the cloudkeychain.hash file:

$ ./run/john cloudkeychain.hash 
=================================================================
==103166==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55f917d99688 at pc 0x55f9172ebbb6 bp 0x7fff28faa160 sp 0x7fff28faa150
WRITE of size 1 at 0x55f917d99688 thread T0
    #0 0x55f9172ebbb5 in get_salt /home/sylvain/software/john/src/cloudkeychain_fmt_plug.c:124
    #1 0x55f91751bd43 in ldr_load_pw_line /home/sylvain/software/john/src/loader.c:1045
    #2 0x55f91751883f in read_file /home/sylvain/software/john/src/loader.c:255
    #3 0x55f91751e8e0 in ldr_load_pw_file /home/sylvain/software/john/src/loader.c:1198
    #4 0x55f91750cf42 in john_load /home/sylvain/software/john/src/john.c:1134
    #5 0x55f91750cf42 in john_init /home/sylvain/software/john/src/john.c:1578
    #6 0x55f91750cf42 in main /home/sylvain/software/john/src/john.c:2065
    #7 0x7f5306c760b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x55f916fe52cd in _start (/home/sylvain/software/john/run/john+0x1ee2cd)

0x55f917d99688 is located 56 bytes to the left of global variable 'cur_salt' defined in 'cloudkeychain_fmt_plug.c:77:28' (0x55f917d996c0) of size 8
0x55f917d99688 is located 0 bytes to the right of global variable 'cs' defined in 'cloudkeychain_fmt_plug.c:116:28' (0x55f917d97e00) of size 6280
SUMMARY: AddressSanitizer: global-buffer-overflow /home/sylvain/software/john/src/cloudkeychain_fmt_plug.c:124 in get_salt
Shadow bytes around the buggy address:
  0x0abfa2fab280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abfa2fab290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abfa2fab2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abfa2fab2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abfa2fab2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abfa2fab2d0: 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0abfa2fab2e0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0abfa2fab2f0: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9
  0x0abfa2fab300: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0abfa2fab310: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0abfa2fab320: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==103166==ABORTING

Impact

Buffer overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

We are processing your report and will contact the openwall/john team within 24 hours. 3 months ago
We have contacted a member of the openwall/john team and are waiting to hear back 3 months ago
Solar Designer modified the report
3 months ago
We have sent a follow up to the openwall/john team. We will try again in 7 days. 3 months ago
Solar Designer
3 months ago

Maintainer


Sylvain, are you going to fix this one as well? Or at least bring it to our GitHub, please? Thank you!

Sylvain
3 months ago

Researcher


Yes I'll fix it.

We have sent a second follow up to the openwall/john team. We will try again in 10 days. 3 months ago
2 months ago
We have sent a third and final follow up to the openwall/john team. This report is now considered stale. 2 months ago
Solar Designer validated this vulnerability 2 months ago
Sylvain Pelissier has been awarded the disclosure bounty
The fix bounty is now up for grabs
Solar Designer confirmed that a fix has been merged on a4ecdf 2 months ago
Sylvain Pelissier has been awarded the fix bounty
to join this conversation