You are not logged in.

#1 2024-08-08 15:49:36

ziomarco
Member
From: italy
Registered: 2018-09-09
Posts: 31

0.0.0.0 Day exploit

Is this exploit a really dangerous vulnerability?
They say there is no immediate fix in Firefox, on the contrary chrome patched .it

Offline

#2 2024-08-08 16:30:07

mpan
Member
Registered: 2012-08-01
Posts: 1,512
Website

Re: 0.0.0.0 Day exploit

If you don’t have services listening on localhost: the attack does nothing.

If you have services listening on localhost, but they don’t expose interface over HTTP: only relevant if the service already has a critical vulnerability itself. The attack allows circumventing a firewall running on a router,⁽¹⁾ which would otherwise shield the vulnerable service from external traffic. The attack itself, without the service being critically vulnerable already, does nothing.

If you have services listening on localhost, and they do expose authenticated interface over HTTP: only relevant if the service already has a critical vulnerability in requests handling logic. Similar to the previous point, it permits circumventing the router-level⁽¹⁾ firewall. The difference is that the attack surface is much larger. While previous case requires a very specific and unlikely kind of vulnerability, here there is many more possibilities.

If you have services listening on localhost, and they do expose unauthenticated interface over HTTP: the attack is always relevant. But you should not have such services in the first place.
____
⁽¹⁾ Edit 2024-08-10: not only network-level, because of 127.0.0.0/8 and ::1.

Last edited by mpan (2024-08-10 18:24:45)


Paperclips in avatars?
NIST on password policies (PDF) — see §3.1.1.2
Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#3 2024-08-08 20:08:45

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,423

Re: 0.0.0.0 Day exploit

To superficially check this

ss -lutn # w/ UDP being a massive stretch because it requires http/3

Then test http://0.0.0.0:<open port>

Eg. http://0.0.0.0:631/ would be cups and hopefully just tells you to gfy anywy.
http://127.0.0.1:631/ or http://localhost:631/ should work, your LAN IP (eg http://192.168.0.2:631 ) should NOT unless you're sharing the printer on the LAN.

Also and as mpan pointed out the exploit still needs
1. some service listening
2. that it can then exploit in some meaninful manner.
So even ifff eg. http://0.0.0.0:7634 would work, the offender would know the current temperature of my disk which, yeah, knock yourself out.

Port scanning might help to identify you, but normal browsers already expose A LOT of specific stuff that can be used for fingerprinting, even w/o javascript, which can be used to overcome hiding-behind-TOR efforts.
For the vast majority of users this isn't a realistic thread and to stress the our-cve-has-a-cool-name-for-cnn blog entry:
Firefox doesn't support PNA at all, so an attack on eg. 192.168.0.5:631 would have worked anyway - that's no news, they just noticed that the 0.0.0.0 IP isn't a loopback nor a private network segment and escaped the PNA spec from 2015.

And: this cannot be exploited cold, you've to go to www.pornandmalware.com to have the web page loaded in your browser to be able to use your browser against you.

Offline

#4 2024-08-08 22:34:16

progandy
Member
Registered: 2012-05-17
Posts: 5,286

Re: 0.0.0.0 Day exploit

seth wrote:

Firefox doesn't support PNA at all, so an attack on eg. 192.168.0.5:631 would have worked anyway - that's no news, they just noticed that the 0.0.0.0 IP isn't a loopback nor a private network segment and escaped the PNA spec from 2015.

You can try to use an uBlock filter list for that: https://github.com/uBlockOrigin/uAssets … -block.txt


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2024-08-09 09:01:03

ziomarco
Member
From: italy
Registered: 2018-09-09
Posts: 31

Re: 0.0.0.0 Day exploit

thanks to you all for the explanations

Offline

#6 2024-08-09 10:54:07

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 14,335

Re: 0.0.0.0 Day exploit

I occasionally run transmission using transmission-daemon as user from a terminal .
http://0.0.0.0:9091/ in firefox works, but transmission webinterface requires javascript which is blocked by the Noscript extension .

Could 0.0.0.0 be blocked in the hosts file ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#7 2024-08-09 11:02:24

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,423

Re: 0.0.0.0 Day exploit

transmission-daemon hast a couple of Options for the listening addresses that all Default to 0.0.0.0 - you could Set them to the loopback 127.0.0.1

Offline

#8 2024-08-09 12:06:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,410
Website

Re: 0.0.0.0 Day exploit

Lone_Wolf wrote:

Could 0.0.0.0 be blocked in the hosts file ?

/etc/hosts??  No.  That's for mapping domain names to IP addresses, 0.0.0.0 is already the IP.  In fact, common ad/host blocking strategies use /etc/hosts/ to map a wide range or "bad" domain names to 0.0.0.0.

Interestingly, that could be a source of a much wider attack surface for this exploit.  On my laptop, there are over 600 thousand domain names in my /etc/hosts file that all are mapped to 0.0.0.0.  So theoretically a website attempting to "phone home" to any of those bad-actor sites gets directed back to 0.0.0.0.

Am I worried?  Nope.

Last edited by Trilby (2024-08-09 13:25:22)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#9 2024-08-09 17:34:39

cloverskull
Member
Registered: 2018-09-30
Posts: 259

Re: 0.0.0.0 Day exploit

@Trilby does your /etc/hosts file size cause any performance issues with domain resolution? 600k domains seems like a lot, so I'm curious

Offline

#10 2024-08-09 20:15:04

sekret
Member
Registered: 2013-07-22
Posts: 301

Re: 0.0.0.0 Day exploit

I seem to have the same hosts file Trilby has. Well, at least I don't feel any difference.

Offline

#11 2024-08-09 20:26:47

macromal
Member
Registered: 2024-08-03
Posts: 40
Website

Re: 0.0.0.0 Day exploit

cloverskull wrote:

@Trilby does your /etc/hosts file size cause any performance issues with domain resolution? 600k domains seems like a lot, so I'm curious

Look this repository https://github.com/StevenBlack/hosts, contains hosts files for different purposes.

My simple /etc/hosts only blocks a few malicious sites:

# The following lines are desirable for IPv4 capable hosts
127.0.0.1       localhost
# 127.0.1.1 is often used for the FQDN of the machine
127.0.1.1       MAL.localdomain          MAL

# The following lines are desirable for IPv6 capable hosts
#::1             localhost ip6-localhost ip6-loopback
#ff02::1         ip6-allnodes
#ff02::2         ip6-allrouters

# Malicious sites
127.0.0.1       www.microsoft.com microsoft.com
127.0.0.1       www.google.com google.com

Offline

#12 2024-08-09 21:35:50

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,410
Website

Re: 0.0.0.0 Day exploit

Nope, no performance issues related to /etc/hosts size.  When I was having some issues I explicitly tested that.


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#13 2024-08-10 15:55:49

adventurer
Member
Registered: 2014-05-04
Posts: 127

Re: 0.0.0.0 Day exploit

There is an easy solution as already mentioned by @progandy: uBlock Origin comes with the "Block Outsider Intrusion into LAN" filterlist. Enable it in its settings and you're protected.

Offline

#14 2024-08-10 16:06:25

xerxes_
Member
Registered: 2018-04-29
Posts: 952

Re: 0.0.0.0 Day exploit

For me 'ss -lutn' returns:

Netid             State              Recv-Q             Send-Q                                              Local Address:Port                         Peer Address:Port             
udp               UNCONN             0                  0                              [fe80::82fb:a22e:xxxx:xxxx]%enpxxx:546                                  [::]:*  

This is some dhcpv6-client listening on port 546. Can it be dangerous?

I was trying to connect to it in Firefox in address bar like this: http://0.0.0.0:546 or 0.0.0.0:546, but it didn't worked: "Firefox can't connect to the server 0.0.0.0:546", but maybe I do something wrong...

Last edited by xerxes_ (2024-08-10 16:11:37)

Offline

#15 2024-08-10 16:29:24

mpan
Member
Registered: 2012-08-01
Posts: 1,512
Website

Re: 0.0.0.0 Day exploit

I believe case #2 from my earlier response applies here and only under an additional condition.The adversary needs to force a browser to use HTTP/3.


Paperclips in avatars?
NIST on password policies (PDF) — see §3.1.1.2
Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#16 2024-08-10 16:53:56

xerxes_
Member
Registered: 2018-04-29
Posts: 952

Re: 0.0.0.0 Day exploit

How do you know that attack need HTTP/3 ? Also, if I understand well, it needs javascript to be enabled (javascript request) ?

Offline

#17 2024-08-10 16:56:48

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,423

Re: 0.0.0.0 Day exploit

http/2 over udp isn't a thing

Offline

#18 2024-08-10 18:44:19

mpan
Member
Registered: 2012-08-01
Posts: 1,512
Website

Re: 0.0.0.0 Day exploit

xerxes_ wrote:

How do you know that attack need HTTP/3

HTTP/1.x and HTTP/2, with and without TLS, work over TCP. So any traffic they cause isn’t appearing at an UDP socket.

xerxes_ wrote:

Also, if I understand well, it needs javascript to be enabled (javascript request) ?

Being able to run code on the target machine makes the attack much easier and gives more options, but is not strictly necessary.

The first kind of attack (case #2) relies on improper handling of data in a TCP stream. If present, it is most likely to be triggered in the early part of the transmission. This is the same regardless of how the request is made. JavaScript APIs (like Fetch API), would affect the parts arriving much later. The other two cases are most likely to be triggered by GET or POST data, both of which can be sent without additional code.

However, without client-side code it’s going to be hard to exfiltrate data. It would require a Rube Goldberg level of machinery or something like Log4Shell.


Paperclips in avatars?
NIST on password policies (PDF) — see §3.1.1.2
Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

Board footer

Powered by FluxBB