fixed crash in rtsp module

vanhauser-thc · Feb 17, 2020 · 5b6fc88 · 5b6fc88
1 parent 0b093e6
commit 5b6fc88
Show file tree

Hide file tree

Showing 14 changed files with 107 additions and 86 deletions.
diff --git a/CHANGES b/CHANGES
@@ -3,6 +3,7 @@ Changelog for hydra
 
 Release 9.1-dev
 * new module: smb2 which also supports smb3 (uses libsmbclient-dev) (thanks to Karim Kanso for the module!)
+* rtsp: fixed crash in MD5 auth
 * svn: updated to support past and new API
 * http module now supports F=/S= string matching conditions (thanks to poucz@github)
 * changed mysql module not to use mysql db as a default. if the user has not access to this db auth fails ...

diff --git a/hydra-http-proxy-urlenum.c b/hydra-http-proxy-urlenum.c
@@ -170,16 +170,16 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
       } else {
 #ifdef LIBOPENSSL
         if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
-          char *pbuffer;
+          char *pbuffer, *result;
 
           http_proxy_auth_mechanism = AUTH_DIGESTMD5;
           pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
           strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
           buffer[sizeof(buffer) - 1] = '\0';
 
           pbuffer = buffer2;
-          sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
-          if (pbuffer == NULL)
+          result = sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
+          if (result == NULL)
             return 3;
 
           if (debug)

diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c
@@ -179,7 +179,7 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
     } else {
 #ifdef LIBOPENSSL
       if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {
-        char *pbuffer;
+        char *pbuffer, *result;
 
         http_proxy_auth_mechanism = AUTH_DIGESTMD5;
         pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
@@ -188,8 +188,8 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
         pbuffer = NULL;
 
         fooptr = buffer2;
-        sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
-        if (fooptr == NULL)
+        result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
+        if (result == NULL)
           return 3;
 
         if (debug)

diff --git a/hydra-http.c b/hydra-http.c
@@ -76,15 +76,15 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
 #ifdef LIBOPENSSL
   case AUTH_DIGESTMD5: {
-    char *pbuffer;
+    char *pbuffer, *result;
 
     pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
     strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1);
     buffer[buffer_size - 1] = '\0';
 
     fooptr = buffer2;
-    sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
-    if (fooptr == NULL) {
+    result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
+    if (result == NULL) {
       free(buffer);
       free(header);
       return 3;

diff --git a/hydra-imap.c b/hydra-imap.c
@@ -41,7 +41,7 @@ char *imap_read_server_capacity(int32_t sock) {
 }
 
 int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
-  char *empty = "";
+  char *empty = "", *result = NULL;
   char *login, *pass, buffer[500], buffer2[500], *fooptr;
 
   if (strlen(login = hydra_get_next_login()) == 0)
@@ -104,7 +104,8 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer2, 0, sizeof(buffer2));
-    sasl_plain(buffer2, login, pass);
+    result = sasl_plain(buffer2, login, pass);
+    if (result == NULL) return 3;
     sprintf(buffer, "%.250s\r\n", buffer2);
     break;
 
@@ -161,15 +162,18 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
     switch (imap_auth_mechanism) {
     case AUTH_CRAMMD5: {
-      sasl_cram_md5(buffer2, pass, buffer);
+      result = sasl_cram_md5(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     case AUTH_CRAMSHA1: {
-      sasl_cram_sha1(buffer2, pass, buffer);
+      result = sasl_cram_sha1(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     case AUTH_CRAMSHA256: {
-      sasl_cram_sha256(buffer2, pass, buffer);
+      result = sasl_cram_sha256(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     }
@@ -202,8 +206,8 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
       hydra_report(stderr, "DEBUG S: %s\n", buffer);
 
     fooptr = buffer2;
-    sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
-    if (fooptr == NULL)
+    result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
+    if (result == NULL)
       return 3;
     if (debug)
       hydra_report(stderr, "DEBUG C: %s\n", buffer2);
@@ -262,8 +266,8 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
       memset(buffer2, 0, sizeof(buffer2));
       fooptr = buffer2;
-      sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
-      if (fooptr == NULL) {
+      result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
+      if (result == NULL) {
         hydra_report(stderr, "[ERROR] Can't compute client response\n");
         return 1;
       }

diff --git a/hydra-ldap.c b/hydra-ldap.c
@@ -8,7 +8,7 @@ int32_t counter;
 int32_t tls_required = 0;
 
 int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char version, int32_t auth_method) {
-  char *empty = "";
+  char *empty = "", *result = NULL;
   char *login = "", *pass, *fooptr = "";
   unsigned char buffer[512];
   int32_t length = 0;
@@ -123,8 +123,8 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
     ptr = strstr((char *)buf, "<");
     fooptr = buf2;
-    sasl_cram_md5(fooptr, pass, ptr);
-    if (fooptr == NULL)
+    result = sasl_cram_md5(fooptr, pass, ptr);
+    if (result == NULL)
       return 1;
     counter++;
     if (strstr(miscptr, "^USER^") != NULL) {
@@ -180,8 +180,8 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
       }
 
       fooptr = buffer2;
-      sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
-      if (fooptr == NULL) {
+      result = sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
+      if (result == NULL) {
         free(buf);
         return 3;
       }

diff --git a/hydra-nntp.c b/hydra-nntp.c
@@ -48,7 +48,7 @@ char *nntp_read_server_capacity(int32_t sock) {
 }
 
 int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
-  char *empty = "\"\"";
+  char *empty = "\"\"", *result = NULL;
   char *login, *pass, buffer[500], buffer2[500], *fooptr;
   int32_t i = 1;
 
@@ -112,7 +112,8 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer, 0, sizeof(buffer));
-    sasl_plain(buffer, login, pass);
+    result = sasl_plain(buffer, login, pass);
+    if (result == NULL) return 3;
 
     char tmp_buffer[sizeof(buffer)];
     sprintf(tmp_buffer, "%.250s\r\n", buffer);
@@ -147,7 +148,8 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer2, 0, sizeof(buffer2));
-    sasl_cram_md5(buffer2, pass, buffer);
+    result = sasl_cram_md5(buffer2, pass, buffer);
+    if (result == NULL) return 3;
 
     sprintf(buffer, "%s %.250s", preplogin, buffer2);
     hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@@ -178,8 +180,8 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     if (debug)
       hydra_report(stderr, "DEBUG S: %s\n", buffer);
     fooptr = buffer2;
-    sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
-    if (fooptr == NULL)
+    result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
+    if (result == NULL)
       return 3;
 
     if (debug)

diff --git a/hydra-pop3.c b/hydra-pop3.c
@@ -118,7 +118,7 @@ char *pop3_read_server_capacity(int32_t sock) {
 }
 
 int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
-  char *empty = "\"\"";
+  char *empty = "\"\"", *result = NULL;
   char *login, *pass, buffer[500], buffer2[500], *fooptr;
 
   if (strlen(login = hydra_get_next_login()) == 0)
@@ -202,7 +202,8 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer, 0, sizeof(buffer));
-    sasl_plain(buffer, login, pass);
+    result = sasl_plain(buffer, login, pass);
+    if (result == NULL) return 3;
 
     char tmp_buffer[sizeof(buffer)];
     sprintf(tmp_buffer, "%.250s\r\n", buffer);
@@ -263,15 +264,18 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
     switch (p->pop3_auth_mechanism) {
     case AUTH_CRAMMD5: {
-      sasl_cram_md5(buffer2, pass, buffer);
+      result = sasl_cram_md5(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     case AUTH_CRAMSHA1: {
-      sasl_cram_sha1(buffer2, pass, buffer);
+      result = sasl_cram_sha1(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     case AUTH_CRAMSHA256: {
-      sasl_cram_sha256(buffer2, pass, buffer);
+      result = sasl_cram_sha256(buffer2, pass, buffer);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s %.250s", preplogin, buffer2);
     } break;
     }
@@ -304,8 +308,8 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
       hydra_report(stderr, "[DEBUG] S: %s\n", buffer);
 
     fooptr = buffer2;
-    sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
-    if (fooptr == NULL)
+    result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
+    if (result == NULL)
       return 3;
 
     if (debug)

diff --git a/hydra-rtsp.c b/hydra-rtsp.c
@@ -116,22 +116,21 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
       }
     } else {
       if (use_Digest_Auth(lresp) == 1) {
-        char *dbuf = NULL;
-        char aux[500] = "";
+        char aux[500] = "", dbuf[500] = "", *result = NULL;
         char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest ");
 
         strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux));
         aux[sizeof(aux) - 1] = '\0';
         free(lresp);
 #ifdef LIBOPENSSL
-        sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
+        result = sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
 #else
         hydra_report(stderr, "[ERROR] Digest auth required but compiled "
                              "without OpenSSL/MD5 support\n");
         return 3;
 #endif
 
-        if (dbuf == NULL) {
+        if (result == NULL) {
           hydra_report(stderr, "[ERROR] digest generation failed\n");
           return 3;
         }

diff --git a/hydra-sip.c b/hydra-sip.c
@@ -48,7 +48,7 @@ int32_t get_sip_code(char *buf) {
 }
 
 int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, unsigned char options, char *miscptr, FILE *fp) {
-  char *login, *pass, *host, buffer[SIP_MAX_BUF];
+  char *login, *pass, *host, buffer[SIP_MAX_BUF], *result = NULL;
   int32_t i;
   char buf[SIP_MAX_BUF];
 
@@ -138,7 +138,8 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
     hydra_report(stderr, "[INFO] S: %s\n", buf);
   char buffer2[512];
 
-  sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
+  result = sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
+  if (result == NULL) return 3;
 
   memset(buffer, 0, SIP_MAX_BUF);
   snprintf(buffer, SIP_MAX_BUF,

diff --git a/hydra-smtp.c b/hydra-smtp.c
@@ -37,7 +37,7 @@ char *smtp_read_server_capacity(int32_t sock) {
 }
 
 int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
-  char *empty = "";
+  char *empty = "", *result = NULL;
   char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf;
 
   if (strlen(login = hydra_get_next_login()) == 0)
@@ -67,7 +67,8 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer, 0, sizeof(buffer));
-    sasl_plain(buffer, login, pass);
+    result = sasl_plain(buffer, login, pass);
+    if (result == NULL) return 3;
 
     char tmp_buffer[sizeof(buffer)];
     sprintf(tmp_buffer, "%.250s\r\n", buffer);
@@ -102,7 +103,8 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     free(buf);
 
     memset(buffer2, 0, sizeof(buffer2));
-    sasl_cram_md5(buffer2, pass, buffer);
+    result = sasl_cram_md5(buffer2, pass, buffer);
+    if (result == NULL) return 3;
 
     sprintf(buffer, "%s %.250s", preplogin, buffer2);
     hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@@ -135,8 +137,8 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
       hydra_report(stderr, "DEBUG S: %s\n", buffer);
 
     fooptr = buffer2;
-    sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
-    if (fooptr == NULL)
+    result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
+    if (result == NULL)
       return 3;
 
     if (debug)

diff --git a/hydra-xmpp.c b/hydra-xmpp.c
@@ -13,7 +13,7 @@ char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http:/
                                    "version='1.0'>";
 
 int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
-  char *empty = "\"\"";
+  char *empty = "\"\"", *result = NULL;
   char *login, *pass, buffer[500], buffer2[500];
   char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='";
   char *AUTH_STR_END = "'/>";
@@ -125,7 +125,8 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
 #ifdef LIBOPENSSL
     case AUTH_PLAIN: {
       memset(buffer2, 0, sizeof(buffer));
-      sasl_plain(buffer2, login, pass);
+      result = sasl_plain(buffer2, login, pass);
+      if (result == NULL) return 3;
       sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
       if (debug)
         hydra_report(stderr, "DEBUG C: %s\n", buffer);
@@ -136,7 +137,8 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
       char *preplogin;
 
       memset(buffer2, 0, sizeof(buffer2));
-      sasl_cram_md5(buffer2, pass, buffer);
+      result = sasl_cram_md5(buffer2, pass, buffer);
+      if (result == NULL) return 3;
 
       rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
       if (rc) {
@@ -156,8 +158,8 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
     case AUTH_DIGESTMD5: {
       memset(buffer2, 0, sizeof(buffer2));
       fooptr = buffer2;
-      sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
-      if (fooptr == NULL) {
+      result = sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
+      if (result == NULL) {
         free(buf);
         return 3;
       }
@@ -217,8 +219,8 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
         memset(buffer2, 0, sizeof(buffer2));
         fooptr = buffer2;
-        sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
-        if (fooptr == NULL) {
+        result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
+        if (result == NULL) {
           hydra_report(stderr, "[ERROR] Can't compute client response\n");
           free(buf);
           return 1;