Classic Buffer Overflow in john in openwall/john
Valid
Reported on
Feb 20th 2022
Description
For 1Password Cloud Keychain plugin, the length of inputs are not properly checked. Then inputs are copied to fixed length buffers. For example, creating a salt with a larger length allow a buffer overflow.
Proof of Concept
Using the cloudkeychain.hash file:
$ ./run/john cloudkeychain.hash
=================================================================
==103166==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55f917d99688 at pc 0x55f9172ebbb6 bp 0x7fff28faa160 sp 0x7fff28faa150
WRITE of size 1 at 0x55f917d99688 thread T0
#0 0x55f9172ebbb5 in get_salt /home/sylvain/software/john/src/cloudkeychain_fmt_plug.c:124
#1 0x55f91751bd43 in ldr_load_pw_line /home/sylvain/software/john/src/loader.c:1045
#2 0x55f91751883f in read_file /home/sylvain/software/john/src/loader.c:255
#3 0x55f91751e8e0 in ldr_load_pw_file /home/sylvain/software/john/src/loader.c:1198
#4 0x55f91750cf42 in john_load /home/sylvain/software/john/src/john.c:1134
#5 0x55f91750cf42 in john_init /home/sylvain/software/john/src/john.c:1578
#6 0x55f91750cf42 in main /home/sylvain/software/john/src/john.c:2065
#7 0x7f5306c760b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x55f916fe52cd in _start (/home/sylvain/software/john/run/john+0x1ee2cd)
0x55f917d99688 is located 56 bytes to the left of global variable 'cur_salt' defined in 'cloudkeychain_fmt_plug.c:77:28' (0x55f917d996c0) of size 8
0x55f917d99688 is located 0 bytes to the right of global variable 'cs' defined in 'cloudkeychain_fmt_plug.c:116:28' (0x55f917d97e00) of size 6280
SUMMARY: AddressSanitizer: global-buffer-overflow /home/sylvain/software/john/src/cloudkeychain_fmt_plug.c:124 in get_salt
Shadow bytes around the buggy address:
0x0abfa2fab280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abfa2fab290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abfa2fab2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abfa2fab2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abfa2fab2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abfa2fab2d0: 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0abfa2fab2e0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0abfa2fab2f0: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9
0x0abfa2fab300: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0abfa2fab310: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0abfa2fab320: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==103166==ABORTING
Impact
Buffer overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.
We are processing your report and will contact the
openwall/john
team within 24 hours.
a year ago
We have contacted a member of the
openwall/john
team and are waiting to hear back
a year ago
Solar Designer modified the report
a year ago
We have sent a
follow up to the
openwall/john
team.
We will try again in 7 days.
a year ago
Sylvain, are you going to fix this one as well? Or at least bring it to our GitHub, please? Thank you!
We have sent a
second
follow up to the
openwall/john
team.
We will try again in 10 days.
a year ago
a year ago
We have sent a
third and final
follow up to the
openwall/john
team.
This report is now considered stale.
a year ago
to join this conversation