Hashcat Stack-Based Buffer Overflow Vulnerability in Rule Engine Allowing Denial-of-Service and Potential Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in Hashcat version 7.1.2, specifically within the rule engine's 'mangle_to_hex_lower()' and 'mangle_to_hex_upper()' functions. This vulnerability allows an attacker to cause a denial-of-service or possibly execute arbitrary code by using a crafted rule file or through the '-j' or '-k' rule options with password candidates of 128 or more characters. The issue arises from a bounds check that fails to consider the twofold expansion that occurs when password bytes are converted to hexadecimal, leading to a buffer overflow on the stack.

Impact

Exploitation of this vulnerability reliably crashes the application. While the overflow could potentially be exploited for arbitrary code execution, this has not been achieved in practice on a default build of Hashcat, which includes stack protection that would need to be bypassed first.

Reproduction

The vulnerability can be reproduced by running Hashcat with the '-j h' or '-j H' options, using a wordlist that includes password entries of 128 characters or more. The crafted rule file or rule options trigger the buffer overflow by exploiting the hexadecimal conversion process, which doubles the length of the input and exceeds the buffer's capacity.

Remediation

A pull request addressing this vulnerability has been submitted and is currently open, but not yet merged.