lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 25 Aug 2009 19:07:49 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <advisories@...ern0t.net>, <bugtraq@...urityfocus.com>
Subject: Re: DoS vulnerability in Google Chrome

Hello MaXe!

Thanks for information.

It's interesting why your Firefox 3.5.2 is vulnerable, because on my
computer only Chrome was vulnerable, and not Firefox 3.0.13 and other
browsers (Mozilla, IE6 and Opera). Yes, I have Chrome installed on the same
system and it does not affect other browsers (not in case of this DoS hole,
not in case of other holes which I found).

Besides, which exploit works in Firefox 3.5.2 in your case? Maybe it's hole
in Firefox 3.5.x. Then it'll be better for you to check it on the system
with Firefox, but without Chrome. In case if it's Cross-Application DoS
(http://websecurity.com.ua/2600/, which you can read on English
http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/2600/&sl=uk&tl=en),
and Firefox 3.5.2 is affected via Chrome (you must test it by running
exploit in Firefox 3.5.2 on systems with and without Chrome installed), then
there are things which we need to know. Which browsers (Firefox 3.5.x and
others) are affected, and which versions of Chrome lead to this issue.

Besides, as I was informed recently, Google Chrome 1.0.154.65 is also
vulnerable.

P.S.

Different people have different signatures ;-). It's like: show me your
signature and I'll tell you who you are.

Best wishes & regards,
Eugene Dokukin aka MustLive
Security auditor and security researcher
http://websecurity.com.ua

----- Original Message ----- 
From: <advisories@...ern0t.net>
To: <bugtraq@...urityfocus.com>; <mustlive@...security.com.ua>
Sent: Tuesday, August 25, 2009 10:03 AM
Subject: RE: DoS vulnerability in Google Chrome


> Hi MustLive,
>
>
> I can confirm that this consumed most ressources in FireFox 3.5.2 as well.
> I have the newest Google Chrome browser installed which might explain why.
>
>
> Best regards, hopes, peace and love,
> MaXe - Founder of InterN0T - Undergrou...
> http://www.intern0t.net/
>
> PS: The extra long signature doesn't make a difference :-D
>
>
> Hello Bugtraq!
>
> I want to warn you about Denial of Service vulnerability in Google Chrome.
>
> This vulnerability I found already at 26.12.2008. Attack belongs to type
> of
> blocking DoS and DoS via resources consumption
> (http://websecurity.com.ua/2550/).
>
> DoS:
>
> http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit.html
>
> http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html
>
> With the first exploit Chrome blocks. With the second exploit Chrome
> blocks,
> at that consumes CPU resources.
>
> Vulnerable version is Google Chrome 1.0.154.48 and previous versions (and
> potentially next versions too).
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/3435/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ