crashes under ASan from fuzzing: PBKDF2-HMAC-MD5, SSH, hdaa, scrypt, and others

[AlekseyCherepanov]

ssh:

$ perl -le 'print q{$sshng$1$16$570F498F6FF732775EE38648130F600D$10000$} . "00" x 10000' > t.pw
$ ./john/run/john t.pw
[...]
==395326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002188 at pc 0x562401e4a8c2 bp 0x7ffd00791a40 sp 0x7ffd00791a38
READ of size 1 at 0x625000002188 thread T0
    #0 0x562401e4a8c1 in ssh_get_salt /home/user/john/src/ssh_common_plug.c:121
    #1 0x562401ee374b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #2 0x562401ede227 in read_file /home/user/john/src/loader.c:260
    #3 0x562401ee61eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #4 0x562401ed5583 in john_load /home/user/john/src/john.c:1134
    #5 0x562401ed5583 in john_init /home/user/john/src/john.c:1578
    #6 0x562401ed5583 in main /home/user/john/src/john.c:2065
    #7 0x7f98f0943d09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x5624019d6489 in _start (/home/user/john/run/john+0x2dd489)

0x625000002188 is located 0 bytes to the right of 8328-byte region [0x625000000100,0x625000002188)
allocated by thread T0 here:
    #0 0x7f98f105e817 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:452
    #1 0x562401efd7c5 in xstrdup /home/user/john/src/memory.c:136
    #2 0x562401e4a6a2 in ssh_get_salt /home/user/john/src/ssh_common_plug.c:99
    #3 0x562401ee374b in ldr_load_pw_line /home/user/john/src/loader.c:1050

hdaa:

$ perl -le 'print q{$response$8663faf2337dbcb2c52882807592ec2c$} . "9" x 200 . q{user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$}' > t.pw
$ ./john/run/john t.pw
AddressSanitizer:DEADLYSIGNAL
=================================================================
==395331==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc529aa8b71 bp 0x7ffcfc70b580 sp 0x7ffcfc70ad28 T0)
==395331==The signal is caused by a READ memory access.
==395331==Hint: address points to the zero page.
    #0 0x7fc529aa8b71  (/lib/x86_64-linux-gnu/libc.so.6+0x15fb71)
    #1 0x7fc52a06fa8c in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:368
    #2 0x5629dd5550fb in get_salt /home/user/john/src/HDAA_fmt_plug.c:653
    #3 0x5629dd7dd74b in ldr_load_pw_line /home/user/john/src/loader.c:1050

pbkdf2-hmac-md5:

$ perl -le 'print q{$pbkdf2-hmac-md5$1000$} . "3" x 230 . q{$aaaaaaaaaaaaaaaaaaaaaaaaaa$} . "9" x 200 . q{$}' > t.pw
$ ./john/run/john t.pw
[...]
==395408==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555d07fd1100 at pc 0x555d0618a3e3 bp 0x7ffec2b35260 sp 0x7ffec2b35258
READ of size 1 at 0x555d07fd1100 thread T0
    #0 0x555d0618a3e2 in pbkdf2_hmac_md5_binary /home/user/john/src/pbkdf2_hmac_common_plug.c:285
    #1 0x555d0629b45a in ldr_load_pw_line /home/user/john/src/loader.c:990
    #2 0x555d06295227 in read_file /home/user/john/src/loader.c:260
    #3 0x555d0629d1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #4 0x555d0628c583 in john_load /home/user/john/src/john.c:1134
    #5 0x555d0628c583 in john_init /home/user/john/src/john.c:1578
    #6 0x555d0628c583 in main /home/user/john/src/john.c:2065
    #7 0x7f4334879d09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x555d05d8d489 in _start (/home/user/john/run/john+0x2dd489)

0x555d07fd1100 is located 32 bytes to the left of global variable 'buf' defined in 'pbkdf2_hmac_common_plug.c:133:4' (0x555d07fd1120) of size 16
0x555d07fd1100 is located 0 bytes to the right of global variable 'out' defined in 'pbkdf2_hmac_common_plug.c:260:14' (0x555d07fd0f00) of size 512

scrypt:

$ perl -le 'print q{$7$C6..../....SodiumChloride$} . "9" x 200 . q{kBGj9fHznVYFQMEn/qDCfrDevf9YDtcDdKvEqHJLV8D}' > t.pw
$ ./john/run/john t.pw
[...]
==395412==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b3d36a3820 at pc 0x7f12946ce2c9 bp 0x7ffd3b07d5a0 sp 0x7ffd3b07cd50
READ of size 257 at 0x55b3d36a3820 thread T0
    #0 0x7f12946ce2c8 in __interceptor_strrchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:719
    #1 0x55b3d279c1dd in binary_hash_4 /home/user/john/src/scrypt_fmt.c:355
    #2 0x55b3d2c4d47c in ldr_load_pw_line /home/user/john/src/loader.c:991
    #3 0x55b3d2c47227 in read_file /home/user/john/src/loader.c:260
    #4 0x55b3d2c4f1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #5 0x55b3d2c3e583 in john_load /home/user/john/src/john.c:1134
    #6 0x55b3d2c3e583 in john_init /home/user/john/src/john.c:1578
    #7 0x55b3d2c3e583 in main /home/user/john/src/john.c:2065
    #8 0x7f1293fcdd09 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55b3d273f489 in _start (/home/user/john/run/john+0x2dd489)

0x55b3d36a3820 is located 32 bytes to the left of global variable 'out' defined in 'scrypt_fmt.c:286:14' (0x55b3d36a3840) of size 256
0x55b3d36a3820 is located 0 bytes to the right of global variable 'out' defined in 'scrypt_fmt.c:279:14' (0x55b3d36a3720) of size 256

[AlekseyCherepanov]

wowsrp:

$ perl -le 'print q{$WoWSRP$1$} . "0" x 130 . q{*JOHN}' > t.pw
$ ./john/run/john t.pw
=================================================================
==399372==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5651e6fcd3e4 at pc 0x7f5aba6848a1 bp 0x7fff1cb049e0 sp 0x7fff1cb04190
WRITE of size 5 at 0x5651e6fcd3e4 thread T0
    #0 0x7f5aba6848a0 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #1 0x5651e520ffe5 in get_salt /home/user/john/src/wow_srp_fmt_plug.c:367
    #2 0x5651e526f74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #3 0x5651e526a227 in read_file /home/user/john/src/loader.c:260
    #4 0x5651e52721eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #5 0x5651e5261583 in john_load /home/user/john/src/john.c:1134
    #6 0x5651e5261583 in john_init /home/user/john/src/john.c:1578
    #7 0x5651e5261583 in main /home/user/john/src/john.c:2065
    #8 0x7f5ab9f87d09 in __libc_start_main ../csu/libc-start.c:308
    #9 0x5651e4d62489 in _start (/home/user/john/run/john+0x2dd489)

0x5651e6fcd3e4 is located 60 bytes to the left of global variable 'max_keys_per_crypt' defined in 'wow_srp_fmt_plug.c:140:12' (0x5651e6fcd420) of size 4
0x5651e6fcd3e4 is located 0 bytes to the right of global variable 'out' defined in 'wow_srp_fmt_plug.c:338:4' (0x5651e6fcd3a0) of size 68

gpg:

$ perl -le 'print q{$gpg$*17*24*1024*} . "0" x 48 . q{*1*255*2*3*8*c5efc5bab719aa63*0*a0ccc71dedfce4d3*128*} . "0" x 256 . q{*20*} . "0" x 40 . q{*10000*} . "0" x 20000 . q{*128*} . "0" x 256' > t.pw
$ ./john/run/john t.pw
Error: This GPG OpenCL format does not support the requested S2K type!
=================================================================
==399468==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004cc8 at pc 0x559aa35b4f41 bp 0x7fffd76311d0 sp 0x7fffd76311c8
WRITE of size 1 at 0x629000004cc8 thread T0
    #0 0x559aa35b4f40 in gpg_common_get_salt /home/user/john/src/gpg_common_plug.c:937
    #1 0x559aa378574b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #2 0x559aa3780227 in read_file /home/user/john/src/loader.c:260
    #3 0x559aa37881eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #4 0x559aa3777583 in john_load /home/user/john/src/john.c:1134
    #5 0x559aa3777583 in john_init /home/user/john/src/john.c:1578
    #6 0x559aa3777583 in main /home/user/john/src/john.c:2065
    #7 0x7fd2d32d3d09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x559aa3278489 in _start (/home/user/john/run/john+0x2dd489)

0x629000004cc8 is located 0 bytes to the right of 19144-byte region [0x629000000200,0x629000004cc8)
allocated by thread T0 here:
    #0 0x7fd2d3a41037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x559aa379f6cd in mem_calloc /home/user/john/src/memory.c:109
    #2 0x559aa35b3f0a in gpg_common_get_salt /home/user/john/src/gpg_common_plug.c:876

nsec3:

$ perl -le 'print q{$NSEC3$400$} . "0" x 416 . q{$} . "0" x 40 . q{$example.com.}' > t.pw
$ ./john/run/john t.pw
=================================================================
==399472==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff7ceb4790 at pc 0x7f0da09b8bb0 bp 0x7fff7ceb44a0 sp 0x7fff7ceb3c50
WRITE of size 416 at 0x7fff7ceb4790 thread T0
    #0 0x7f0da09b8baf in __interceptor_strncpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:483
    #1 0x55bf60f879ed in valid /home/user/john/src/nsec3_fmt_plug.c:176
    #2 0x55bf610d99c7 in ldr_split_line /home/user/john/src/loader.c:769
    #3 0x55bf610d9fb7 in ldr_load_pw_line /home/user/john/src/loader.c:963
    #4 0x55bf610d5227 in read_file /home/user/john/src/loader.c:260
    #5 0x55bf610dd1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #6 0x55bf610cc583 in john_load /home/user/john/src/john.c:1134
    #7 0x55bf610cc583 in john_init /home/user/john/src/john.c:1578
    #8 0x55bf610cc583 in main /home/user/john/src/john.c:2065
    #9 0x7f0da029dd09 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55bf60bcd489 in _start (/home/user/john/run/john+0x2dd489)

Address 0x7fff7ceb4790 is located in stack of thread T0 at offset 704 in frame
    #0 0x55bf60f877ad in valid /home/user/john/src/nsec3_fmt_plug.c:145

  This frame has 3 object(s):
    [48, 89) 'hash' (line 151)
    [128, 383) 'zone' (line 148)
    [448, 704) 'salt' (line 150) <== Memory access at offset 704 overflows this variable

vtp:

$ perl -le 'print q{$vtp$2$196$} . "0" x 392 . q{$180$} . "0" x 360 . q{$} . "0" x 32' > t.pw
$ ./john/run/john t.pw
=================================================================
==399474==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556e03a09c1c at pc 0x7efc65bcd8a1 bp 0x7fff37853290 sp 0x7fff37852a40
WRITE of size 108 at 0x556e03a09c1c thread T0
    #0 0x7efc65bcd8a0 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #1 0x556e01c49152 in get_salt /home/user/john/src/vtp_fmt_plug.c:199
    #2 0x556e01cac74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #3 0x556e01ca7227 in read_file /home/user/john/src/loader.c:260
    #4 0x556e01caf1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #5 0x556e01c9e583 in john_load /home/user/john/src/john.c:1134
    #6 0x556e01c9e583 in john_init /home/user/john/src/john.c:1578
    #7 0x556e01c9e583 in main /home/user/john/src/john.c:2065
    #8 0x7efc654d0d09 in __libc_start_main ../csu/libc-start.c:308
    #9 0x556e0179f489 in _start (/home/user/john/run/john+0x2dd489)

0x556e03a09c1c is located 36 bytes to the left of global variable 'cur_salt' defined in 'vtp_fmt_plug.c:92:4' (0x556e03a09c40) of size 8
0x556e03a09c1c is located 0 bytes to the right of global variable 'cs' defined in 'vtp_fmt_plug.c:172:28' (0x556e03a07380) of size 10396

[AlekseyCherepanov]

rsvp:

$ perl -le 'print q{$rsvp$} . "0" x 16440 . q{1$} . "0" x 344 . q{$} . "0" x 32' > t.pw
$ ./john/run/john t.pw
=================================================================
==400410==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559f210d17a8 at pc 0x559f1f2bc8da bp 0x7fff5ace0a50 sp 0x7fff5ace0a48
WRITE of size 1 at 0x559f210d17a8 thread T0
    #0 0x559f1f2bc8d9 in get_salt /home/user/john/src/rsvp_fmt_plug.c:247
    #1 0x559f1f38274b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #2 0x559f1f37d227 in read_file /home/user/john/src/loader.c:260
    #3 0x559f1f3851eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #4 0x559f1f374583 in john_load /home/user/john/src/john.c:1134
    #5 0x559f1f374583 in john_init /home/user/john/src/john.c:1578
    #6 0x559f1f374583 in main /home/user/john/src/john.c:2065
    #7 0x7fe48d6d4d09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x559f1ee75489 in _start (/home/user/john/run/john+0x2dd489)

0x559f210d17a8 is located 56 bytes to the left of global variable 'cur_salt' defined in 'rsvp_fmt_plug.c:135:4' (0x559f210d17e0) of size 8
0x559f210d17a8 is located 0 bytes to the right of global variable 'cs' defined in 'rsvp_fmt_plug.c:232:28' (0x559f210cf7a0) of size 8200

dynamic_15 (might be related to #5032):

$ perl -le 'print q{$dynamic_15$} . "0" x 32 . q{$aaaSXB$$00000000000000000Ujoeblow}' > t.pw
$ ./john/run/john t.pw
AddressSanitizer:DEADLYSIGNAL
=================================================================
==400413==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f43e8cbaffd bp 0x000000000003 sp 0x7ffda478caf8 T0)
==400413==The signal is caused by a READ memory access.
==400413==Hint: address points to the zero page.
    #0 0x7f43e8cbaffd  (/lib/x86_64-linux-gnu/libc.so.6+0xa6ffd)
    #1 0x7f43e93886cc in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:574
    #2 0x7f43e93886cc in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:569
    #3 0x5558b755f590 in valid /home/user/john/src/dynamic_fmt.c:618

ike:

$ perl -le 'print q{$ike$*0*} . "0" x 4096 . q{*} . "0" x 256 . q{*b2a3c7aa4be95e85*756e3fa11c1b102c*} . "0" x 104 . q{*01000000ac100202*} . "0" x 40 . q{*} . "0" x 40 . q{*} . "0" x 32' > t.pw
$ ./john/run/john t.pw
=================================================================
==400418==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd9b8d1c10 at pc 0x7f5d2ba634c8 bp 0x7ffd9b8d08b0 sp 0x7ffd9b8d0060
WRITE of size 4097 at 0x7ffd9b8d1c10 thread T0
    #0 0x7f5d2ba634c7 in scanf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:342
    #1 0x7f5d2ba63b9a in __interceptor_vsscanf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1502
    #2 0x7f5d2ba63c86 in __interceptor_sscanf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1526
    #3 0x55f3036e3deb in load_psk_params /home/user/john/src/ike-crack.h:377
    #4 0x55f3036e46e8 in get_salt /home/user/john/src/ike_fmt_plug.c:199
    #5 0x55f30389474b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #6 0x55f30388f227 in read_file /home/user/john/src/loader.c:260
    #7 0x55f3038971eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #8 0x55f303886583 in john_load /home/user/john/src/john.c:1134
    #9 0x55f303886583 in john_init /home/user/john/src/john.c:1578
    #10 0x55f303886583 in main /home/user/john/src/john.c:2065
    #11 0x7f5d2b347d09 in __libc_start_main ../csu/libc-start.c:308
    #12 0x55f303387489 in _start (/home/user/john/run/john+0x2dd489)

Address 0x7ffd9b8d1c10 is located in stack of thread T0 at offset 4480 in frame
    #0 0x55f3036e3b28 in load_psk_params /home/user/john/src/ike-crack.h:345

  This frame has 17 object(s):
    [48, 56) 'g_xr_len' (line 369)
    [80, 88) 'g_xi_len' (line 370)
    [112, 120) 'cky_r_len' (line 371)
    [144, 152) 'cky_i_len' (line 372)
    [176, 184) 'sai_b_len' (line 373)
    [208, 216) 'idir_b_len' (line 374)
    [240, 248) 'ni_b_len' (line 375)
    [272, 280) 'nr_b_len' (line 376)
    [304, 348) 'hash_r_hex' (line 360)
    [384, 4480) 'g_xr_hex' (line 352)
    [4608, 8704) 'g_xi_hex' (line 353) <== Memory access at offset 4480 partially underflows this variable
    [8832, 12928) 'cky_r_hex' (line 354)
    [13056, 17152) 'cky_i_hex' (line 355)
    [17280, 21376) 'sai_b_hex' (line 356)
    [21504, 25600) 'idir_b_hex' (line 357)
    [25728, 29824) 'ni_b_hex' (line 358)
    [29952, 34048) 'nr_b_hex' (line 359)

net-md5:

$ perl -le 'print q{} . "0" x 2976 . q{$} . "0" x 32' > t.pw
$ ./john/run/john t.pw
=================================================================
==400426==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56538fe223e1 at pc 0x7f3d65e846f7 bp 0x7ffdb1cf2480 sp 0x7ffdb1cf1c30
WRITE of size 3018 at 0x56538fe223e1 thread T0
    #0 0x7f3d65e846f6 in __interceptor_vsprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1666
    #1 0x7f3d65e848e6 in __interceptor_sprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1709
    #2 0x56538df9e297 in prepare /home/user/john/src/net_md5_fmt_plug.c:278
    #3 0x56538e0f4993 in ldr_split_line /home/user/john/src/loader.c:766
    #4 0x56538e0f4fb7 in ldr_load_pw_line /home/user/john/src/loader.c:963
    #5 0x56538e0f0227 in read_file /home/user/john/src/loader.c:260
    #6 0x56538e0f81eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #7 0x56538e0e7583 in john_load /home/user/john/src/john.c:1134
    #8 0x56538e0e7583 in john_init /home/user/john/src/john.c:1578
    #9 0x56538e0e7583 in main /home/user/john/src/john.c:2065
    #10 0x7f3d65766d09 in __libc_start_main ../csu/libc-start.c:308
    #11 0x56538dbe8489 in _start (/home/user/john/run/john+0x2dd489)

0x56538fe223e1 is located 63 bytes to the left of global variable 'buf' defined in 'net_md5_fmt_plug.c:182:4' (0x56538fe22420) of size 16
0x56538fe223e1 is located 0 bytes to the right of global variable 'buf' defined in 'net_md5_fmt_plug.c:272:14' (0x56538fe21820) of size 3009

o10glogon:

$ perl -le 'print q{$o10glogon$jimf$} . "0" x 64 . q{$} . "0" x 64 . q{$} . "0" x 176' > t.pw
$ ./john/run/john t.pw
=================================================================
==400428==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fd65bd44b8 at pc 0x55fd63a51b05 bp 0x7ffed102ee50 sp 0x7ffed102ee48
WRITE of size 1 at 0x55fd65bd44b8 thread T0
    #0 0x55fd63a51b04 in hex_to_raw /home/user/john/src/base64_convert.c:298
    #1 0x55fd63a53a13 in base64_convert /home/user/john/src/base64_convert.c:682
    #2 0x55fd63d5dc85 in get_salt /home/user/john/src/o10glogon_fmt_plug.c:364
    #3 0x55fd63ea474b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #4 0x55fd63e9f227 in read_file /home/user/john/src/loader.c:260
    #5 0x55fd63ea71eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #6 0x55fd63e96583 in john_load /home/user/john/src/john.c:1134
    #7 0x55fd63e96583 in john_init /home/user/john/src/john.c:1578
    #8 0x55fd63e96583 in main /home/user/john/src/john.c:2065
    #9 0x7f6bb3ef8d09 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55fd63997489 in _start (/home/user/john/run/john+0x2dd489)

0x55fd65bd44b8 is located 40 bytes to the left of global variable 'desschedule1' defined in 'o10glogon_fmt_plug.c:99:25' (0x55fd65bd44e0) of size 128
0x55fd65bd44b8 is located 0 bytes to the right of global variable 'salt' defined in 'o10glogon_fmt_plug.c:346:21' (0x55fd65bd43e0) of size 216

o3logon:

$ perl -le 'print q{$o3logon$PASSWORD9$} . "0" x 32 . q{$} . "0" x 96' > t.pw
$ ./john/run/john t.pw
=================================================================
==400432==ERROR: AddressSanitizer: global-buffer-overflow on address 0x560a670ceb00 at pc 0x560a64f4bb05 bp 0x7ffd907b4e50 sp 0x7ffd907b4e48
WRITE of size 1 at 0x560a670ceb00 thread T0
    #0 0x560a64f4bb04 in hex_to_raw /home/user/john/src/base64_convert.c:298
    #1 0x560a64f4da13 in base64_convert /home/user/john/src/base64_convert.c:682
    #2 0x560a65259623 in get_salt /home/user/john/src/o3logon_fmt_plug.c:338
    #3 0x560a6539e74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #4 0x560a65399227 in read_file /home/user/john/src/loader.c:260
    #5 0x560a653a11eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #6 0x560a65390583 in john_load /home/user/john/src/john.c:1134
    #7 0x560a65390583 in john_init /home/user/john/src/john.c:1578
    #8 0x560a65390583 in main /home/user/john/src/john.c:2065
    #9 0x7f52f21afd09 in __libc_start_main ../csu/libc-start.c:308
    #10 0x560a64e91489 in _start (/home/user/john/run/john+0x2dd489)

0x560a670ceb00 is located 32 bytes to the left of global variable 'desschedule1' defined in 'o3logon_fmt_plug.c:96:25' (0x560a670ceb20) of size 128
0x560a670ceb00 is located 0 bytes to the right of global variable 'salt' defined in 'o3logon_fmt_plug.c:322:19' (0x560a670cea80) of size 128

SSHA512:

$ echo '{SSHA512}000000000000SCMmLlStPIxVtJc8Y6REiGTMsgSEFF7xVQFoYZYg39H0nEeDuK/fWxxNZCdSYlRgJK3U3q0lYTka3Nre2CjXzeNUjbvHabYP' > t.pw
$ ./john/run/john t.pw
=================================================================
==400434==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556d03142ef4 at pc 0x7f64d5b078a1 bp 0x7ffd5bfa56a0 sp 0x7ffd5bfa4e50
WRITE of size 17 at 0x556d03142ef4 thread T0
    #0 0x7f64d5b078a0 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #1 0x556d01358adc in get_salt /home/user/john/src/ssha512_fmt_plug.c:152
    #2 0x556d013ec74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #3 0x556d013e7227 in read_file /home/user/john/src/loader.c:260
    #4 0x556d013ef1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #5 0x556d013de583 in john_load /home/user/john/src/john.c:1134
    #6 0x556d013de583 in john_init /home/user/john/src/john.c:1578
    #7 0x556d013de583 in main /home/user/john/src/john.c:2065
    #8 0x7f64d540ad09 in __libc_start_main ../csu/libc-start.c:308
    #9 0x556d00edf489 in _start (/home/user/john/run/john+0x2dd489)

0x556d03142ef4 is located 44 bytes to the left of global variable 'out' defined in 'common-simd-setkey64.h:283:14' (0x556d03142f20) of size 96
0x556d03142ef4 is located 0 bytes to the right of global variable 'cursalt' defined in 'ssha512_fmt_plug.c:135:23' (0x556d03142ee0) of size 20

[AlekseyCherepanov]

bitlocker:

$ perl -le 'print q{$bitlocker$0$16$} . "0" x 32 . q{$1048576$12$9080903a0d9dd20103000000$292$} . "0" x 584' > t.pw
$ ./john/run/john t.pw
[...]
==405832==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000018b at pc 0x5631990f588e bp 0x7ffea69c52e0 sp 0x7ffea69c52d8
WRITE of size 1 at 0x61300000018b thread T0
    #0 0x5631990f588d in bitlocker_common_get_salt /home/user/john/src/bitlocker_variable_code.h:72
    #1 0x56319932f74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #2 0x56319932a227 in read_file /home/user/john/src/loader.c:260
    #3 0x5631993321eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #4 0x563199321583 in john_load /home/user/john/src/john.c:1134
    #5 0x563199321583 in john_init /home/user/john/src/john.c:1578
    #6 0x563199321583 in main /home/user/john/src/john.c:2065
    #7 0x7f79a09cfd09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x563198e22489 in _start (/home/user/john/run/john+0x2dd489)

0x61300000018b is located 0 bytes to the right of 331-byte region [0x613000000040,0x61300000018b)
allocated by thread T0 here:
    #0 0x7f79a113ce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5631993495cc in mem_alloc /home/user/john/src/memory.c:92
    #2 0x5631993498f3 in mem_alloc_tiny /home/user/john/src/memory.c:215
    #3 0x563199349932 in mem_calloc_tiny /home/user/john/src/memory.c:229
    #4 0x5631990f515d in bitlocker_common_get_salt /home/user/john/src/bitlocker_variable_code.h:45

[AlekseyCherepanov]

Playing with net-md5, I got a crash in krb5asrep. Technically it is not from a fuzzer.

$ perl -le 'print "0" x 32 . "\$" . "0" x 96' > t.pw
$ ./john/run/john t.pw
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
=================================================================
==432651==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00012a060 at pc 0x7fe2de1ecb11 bp 0x7ffc50796bc0 sp 0x7ffc50796370
READ of size 1891 at 0x61d00012a060 thread T0
    #0 0x7fe2de1ecb10 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:370
    #1 0x55e9aa817baf in crypt_all /home/user/john/src/krb5_asrep_fmt_plug.c:255
    #2 0x55e9aa987c48 in is_key_right /home/user/john/src/formats.c:592
    #3 0x55e9aa990e66 in fmt_self_test_body /home/user/john/src/formats.c:1287
    #4 0x55e9aa9920f6 in fmt_self_test /home/user/john/src/formats.c:2037
    #5 0x55e9aa99fdea in john_run /home/user/john/src/john.c:1699
    #6 0x55e9aa99fdea in main /home/user/john/src/john.c:2082
    #7 0x7fe2ddaecd09 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55e9aa49e489 in _start (/home/user/john/run/john+0x2dd489)

0x61d00012a060 is located 0 bytes to the right of 2016-byte region [0x61d000129880,0x61d00012a060)
allocated by thread T0 here:
    #0 0x7fe2de25aa3c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
    #1 0x55e9aa9c5a3c in mem_alloc_align /home/user/john/src/memory.c:255
    #2 0x55e9aa818657 in init /home/user/john/src/krb5_asrep_fmt_plug.c:165

[AlekseyCherepanov]

Another crasher for ssha512:

$ perl -le 'print "{SSHA512}" . "0" x 86 . "=" x 22' > t.pw
$ ./john/run/john t.pw
=================================================================
==432949==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cpp:80 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x7ff97e8a0657 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cpp:73
    #1 0x7ff97e8bdd4a in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:78
    #2 0x7ff97e81b2b3 in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cpp:80
    #3 0x7ff97e81b2b3 in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:96
    #4 0x7ff97e81ced2 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:441
    #5 0x7ff97e81f350 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cpp:395
    #6 0x7ff97e89fcf4 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cpp:472
    #7 0x7ff97e8279a4 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #8 0x560f5b9b7adc in get_salt /home/user/john/src/ssha512_fmt_plug.c:152
    #9 0x560f5ba4b74b in ldr_load_pw_line /home/user/john/src/loader.c:1050
    #10 0x560f5ba46227 in read_file /home/user/john/src/loader.c:260
    #11 0x560f5ba4e1eb in ldr_load_pw_file /home/user/john/src/loader.c:1203
    #12 0x560f5ba3d583 in john_load /home/user/john/src/john.c:1134
    #13 0x560f5ba3d583 in john_init /home/user/john/src/john.c:1578
    #14 0x560f5ba3d583 in main /home/user/john/src/john.c:2065
    #15 0x7ff97e12ad09 in __libc_start_main ../csu/libc-start.c:308
    #16 0x560f5b53e489 in _start (/home/user/john/run/john+0x2dd489)

There is such length adjustments for base64 while valid accepts excessive =s:

	cursalt.len = (len + 3) / 4 * 3 - DIGEST_SIZE;
	p = &ciphertext[len];
	while (*--p == '=')
		cursalt.len--;

	memcpy(cursalt.data.c, realcipher+DIGEST_SIZE, cursalt.len);

It was found manually. I guess it is possible to write a specific mutator to let fuzzer find that.

[AlekseyCherepanov]

crash in krb5asrep

The crash happens with a correct hash too. The problem is that I have asan build and allocator initialized memory to non-zero values. Together with it, crypt_all hashes more keys than john sets through set_key. So strlen cannot find end of string and overruns allocated region.

[AlekseyCherepanov]

I have fixes for all these crashes. I'll prepare PR after more testing.

[AlekseyCherepanov]

dynamic_1552:

perl -le 'print q{$dynamic_1552$} . "0" x 32 . q{$} . "0" x 16 . q{$$U} . "0" x 240' > t.pw

==8718==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeaf87a246 at pc 0x7f833ec108a1 bp 0x7ffeaf877860 sp 0x7ffeaf877010
WRITE of size 240 at 0x7ffeaf87a246 thread T0
    #0 0x7f833ec108a0 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #1 0x55d52f22f5b1 in salt_external_to_internal_convert /home/user/john/src/dynamic_fmt.c:2341
    #2 0x55d52f232032 in get_salt /home/user/john/src/dynamic_fmt.c:2570
    #3 0x55d52f660063 in ldr_load_pw_line /home/user/john/src/loader.c:1045

It was found inserting zeroes into username. Username had underscore, so it became a point for insertion. Without underscore, my mutator would not find the crash. OTOH append_last_char could find this crash having more variation in times.