1
mirror of https://github.com/hashcat/hashcat synced 2025-01-10 17:16:22 +01:00

Fixed a buffer overflow in precompute_salt_md5() in case salt was longer than 64 characters

This commit is contained in:
jsteube 2018-08-06 15:35:35 +02:00
parent 9f54c3dd14
commit afd1efd59c
4 changed files with 16 additions and 22 deletions

View File

@ -6,6 +6,12 @@
- Try to evaluate available OpenCL device memory and use this information instead of total available OpenCL device memory for autotune - Try to evaluate available OpenCL device memory and use this information instead of total available OpenCL device memory for autotune
##
## Bugs
##
- Fixed a buffer overflow in precompute_salt_md5() in case salt was longer than 64 characters
* changes v4.1.0 -> v4.2.0 * changes v4.1.0 -> v4.2.0
## ##

View File

@ -9,6 +9,6 @@
#include <string.h> #include <string.h>
void md5_64 (const u32 block[16], u32 digest[4]); void md5_64 (const u32 block[16], u32 digest[4]);
void md5_complete_no_limit (u32 digest[4], u32 *plain, u32 plain_len); void md5_complete_no_limit (u32 digest[4], const u32 *plain, const u32 plain_len);
#endif // _CPU_MD5_H #endif // _CPU_MD5_H

View File

@ -117,7 +117,7 @@ void md5_64 (const u32 block[16], u32 digest[4])
// only use this when really, really needed, SLOW // only use this when really, really needed, SLOW
void md5_complete_no_limit (u32 digest[4], u32 *plain, u32 plain_len) void md5_complete_no_limit (u32 digest[4], const u32 *plain, const u32 plain_len)
{ {
u32 a = MD5M_A; u32 a = MD5M_A;
u32 b = MD5M_B; u32 b = MD5M_B;

View File

@ -2698,28 +2698,16 @@ static bool parse_and_store_generic_salt (u8 *out_buf, int *out_len, const u8 *i
return true; return true;
} }
static void precompute_salt_md5 (u8 *salt, u32 salt_len, u8 *salt_pc) static void precompute_salt_md5 (const u32 *salt_buf, const u32 salt_len, u8 *salt_pc)
{ {
u32 salt_pc_block[16] = { 0 }; u32 digest[4] = { 0 };
u8 *salt_pc_block_ptr = (u8 *) salt_pc_block; md5_complete_no_limit (digest, salt_buf, salt_len);
memcpy (salt_pc_block_ptr, salt, salt_len); u32_to_hex_lower (digest[0], salt_pc + 0);
u32_to_hex_lower (digest[1], salt_pc + 8);
salt_pc_block_ptr[salt_len] = 0x80; u32_to_hex_lower (digest[2], salt_pc + 16);
u32_to_hex_lower (digest[3], salt_pc + 24);
salt_pc_block[14] = salt_len * 8;
u32 salt_pc_digest[4] = { MD5M_A, MD5M_B, MD5M_C, MD5M_D };
md5_64 (salt_pc_block, salt_pc_digest);
u8 *salt_buf_pc_ptr = salt_pc;
u32_to_hex_lower (salt_pc_digest[0], salt_buf_pc_ptr + 0);
u32_to_hex_lower (salt_pc_digest[1], salt_buf_pc_ptr + 8);
u32_to_hex_lower (salt_pc_digest[2], salt_buf_pc_ptr + 16);
u32_to_hex_lower (salt_pc_digest[3], salt_buf_pc_ptr + 24);
} }
int bcrypt_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) int bcrypt_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
@ -4333,7 +4321,7 @@ int md5s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSE
{ {
// precompute md5 of the salt // precompute md5 of the salt
precompute_salt_md5 ((u8 *) salt->salt_buf, salt->salt_len, (u8 *) salt->salt_buf_pc); precompute_salt_md5 (salt->salt_buf, salt->salt_len, (u8 *) salt->salt_buf_pc);
} }
return (PARSER_OK); return (PARSER_OK);