lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005b01cd2948$32fa9700$0100a8c0@ml>
Date: Thu, 3 May 2012 19:16:37 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <Valdis.Kletnieks@...edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS vulnerabilities in Firefox,
	Internet Explorer and Opera

Hello Valdis!

> Anybody want to guess how many cores are on his test box? :)

It's too simple puzzle :-). The most interesting in these results it's
crashes and freezes.

Of course I know about this dependence of CPU consuming from the number of
CPU cores (just after I've upgraded first time from 1 core to 2 cores CPU in
March 2009). During this testing I've checked this exploit (in Firefox) on
one notebook - the only computer with single core CPU at my home - and
results was 88% CPU consumption.

I decided to not mention about these differences, because it's not so
interesting comparing to crashes and freezes, and people should be aware
about this dependence. Nowadays multicore CPUs are very widespread, so
these results will be close to common modern computers - more resources
consumption and more risk will be for single core CPU computers, such as
older PCs and different modern gadgets.

Note, guys, that this type of exploits for browsers, which consume only 50%
CPU on multicore CPU, are widespread, but I published a lot of exploits,
which consume more resources on multicore CPU computers. Particularly
exploits from series of multiple DoS exploits for different browsers, which
I published in 2010. As I've just tested few of them, they consumed up to
76% CPU on my new PC (which I've assembled in March), and on my old PC with
two cores CPU they were consuming even more resources.

> Depends how many browsers instances he launched to make the DoS more
> effective : o )

Boddin, I'm always testing exploits with one browser instance at a time.
With crashes and freezes of the browsers the effectiveness of DoS is
sufficient enough ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: <Valdis.Kletnieks@...edu>
To: "MustLive" <mustlive@...security.com.ua>
Cc: <submissions@...ketstormsecurity.org>;
<full-disclosure@...ts.grok.org.uk>
Sent: Monday, April 30, 2012 4:37 PM
Subject: Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet
Explorer and Opera

On Mon, 30 Apr 2012 15:37:08 +0300, "MustLive" said:

> * Mozilla Firefox 3.0.19 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 3.5.11 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 3.6.8 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 4.0 beta 2 freezes and consumes resources (50% CPU and a
> lot of RAM).
> * Mozilla Firefox 11.0 freezes and consumes resources (50% CPU and a lot
> of RAM).
> * Internet Explorer 6 freezes and consumes resources (50% CPU and a lot of
> RAM).
> * Internet Explorer 7 freezes and consumes resources (50% CPU and a lot of
> RAM).
> * Internet Explorer 8 only consumes resources (50% CPU and a lot of RAM).
> I.e. in IE8 the problem was partly fixed by Microsoft.
> * Opera 10.62 freezes and consumes resources (50% CPU and a lot of RAM).

Anybody want to guess how many cores are on his test box? :)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ