0.0.0.0 Day: An 18 Year Long Web Browser Exploit

And when Google has managed to turn people away from running adblock... can the Manifest V3 blockers still block this? I guess they will? Will the people that find out that adblockers doesn't work on the sites they visit even bother using one? I guess most will use the new versions anyway since it'll at least do some blocking but... we are talking about human sheep here. "Why keep this trash extension, it doesn't work for me!".
Any kind of unnecessary attack surface should be blocked off, how they managed to leave this open for 18 years I'll never understand lol. Was the Wayland devs in charge of this!? :P

thanks for covering this

I also remember firewall rules blocking 0.0.0.0 used to be semi common back in the late 90s to early 2000s. Now i know why. Friends of mine uswd to say it was just a good idea to block it.
Also palemoon has patched this.

I have been looking for LLMs that don't use local host. even local privacy focused llms, still use local host.

there is a mistake in the subtitles. At 8:49 it says 'cores' when what you meant is probably CORS

Ublock is the fucking GOAT

​@@no_name4796Ublock Origin, not Ublock

⁠​⁠@@no_name4796Ublock is completely unaffiliated to uBlock origin.

But does uBlock Lite? How much disservice does Google do you by blocking blockers?

Not by default, you need to enable it. In the filter lists, the respective filter is called "Block Outsider Intrusion into LAN"

No browser - no problem!

@@spartv1537 Yes, and any system can have all browser removed without a lot of trouble (except Windows). It all comes down to the use cases. I don't know how BetaMaster2 has managed to post his comment, for example, from TempleOS. (He hasn't.)

The Lord protects it.

Yes, again TempleOS is holy! We bow down!

I'll stay on my Hannah Montana Linux
Hannah will protect me 😎

CUPS has a local web ui and my Epson ET-20xx-series printer does, too.

If your CUPS server can accept connections from outside its LAN/VLAN your network has larger issues.

@@nobodyimportant7804 we are talking here about a case where a client-side script initiates a connection to your own system
As far as CUPS is concerned, it doesn't come from outside, it doesn't even touch a network card.

@@nobodyimportant7804 But... in this case the request appears to come from localhost. And since CUPS will happily execute PostScript, which is a Turing complete language, there is a whole lot of fun things you can do.

@@nobodyimportant7804 I'm pretty sure the CUPS server running on my machine needs to accept connections from my machine.

@@nobodyimportant7804 The attack allow you to connect to localhost open ports, you can then make request maybe gain admin privileges (uses UNIX auth so a local user with a easy password can be enough to exploit) and then allow to login from outside of localhost.

UBlock Origin has blocked 0.0.0.0 requests since ages ago too, and works on other browsers like Firefox. And hasn’t had multiple sketchy monetary issues in the past.

Not really, they started working on it, but nothing reached mainstream browsers (again). They haven't blocked 0.0.0.0 anywhere. The browsers still enable accessing localhost by accessing 0.0.0.0

Yeah

16 years late ...

​@@davidioanhedgesbetter than not at all, i guess

The concept of an application representing "host me on every IP on each interface" with "0.0.0.0/0" makes FAR more sense, as it means "this host on the network" for every network, i.e. pretty close the purpose of the actual spec. Using it to route to local host? Well... I mean, that's technically this host on the network, specifically the network 127.0.0.0/8?
But as an address for "nowhere", like blocking something? That's extremely bad.

Interestingly, on Linux and macOS, [::] also works as the localhost destination in addition to [::1]

@@OhhCrapGuy Is it really? 0.0.0.0 is a reserved IP address on every possible valid network and in principle could never belong to a host. So not exactly insane either. More like this is the problem any time people feel the need for magic numbers and special states that standards leave unspecified.

Binding to 0.0.0.0 serves on every IP adapter in the system, and makes sense. But connecting to 0.0.0.0 is news to me, and makes no sense.

I had a gut feeling 0.0.0.0 could be exploited, turns out it was discovered already long time ago

I've tried doing that and was way too tedious. Just about every site uses script and disabling them breaks the site.

In chrome browsers, you don't even need an extension, it's built in

​@@dmiracle74So just enable on sites you trust?

@@tablettablete186 How do you know if the trusted site doesn't have a malicious script?

@@dmiracle74 You don't know, but this is better than allowing on everything.
But you can inspect the code, it just takes a lot of time

I didn't even consider the name overlap lol

Private Internet Access

AAAND both of them aren't really private in a most cases today.

@@giusdb Not sure what you are getting at, but by "securing a HTTP server" I don't mean anything outlandish, just requiring authorization. Basically, I just think that when you make a local service, you should take the same steps you take when you make a public website. Is the request coming from an authorized source? No? Well, don't handle it!
I do think it's a good security goal to treat all networks, or even all users and processes as untrusted, unless specifically authorized. I don't think I'm alone in that, since we have the principle of least privilege and MAC. It's not as impossible as you think - after all, we treat the internet as untrusted, and it's not that hard (we have firewalls).
If you say your network is trustworthy, well, this still gives you the advantage of an additional layer of security if it ever gets compromised.

I don't know what you mean by "safe", but if that includes setting up https for a localhost connection just to test out some browser APIs that require https for no actual reason other than to push its adoption (e.g. the gamepad api)... NO THANKS.

@@gamechannel1271 TLS brings no security benefits to localhost connections. As opposed to any connection that goes over the wire, they can't be hijacked (without root - and if you are root, you are in total control anyways). You still need to have proper authentication and authorization for a local service to be secure, however.

They shouldn't be locally hackable for passwords anyhow, except by brute forcing, but still they might reveal the presence of a user ID, right?

Shouldn't be a problem because due to CORS, data can only be sent, not retrieved

Maybe I missed something but this sounds like a pivot that allows JavaScript to connect to any unfirewalled port on *localhost.* So the only way an attacker could reach your network would be if you had a proxy running on the same machine.

Actually, their are a lot of things in place to prevent this, which includes security zones on Windows/IE since IE4 in 1997.
My suggestion would be to watch: Dan Kaminsky (yes, of DNS fame): DNS Rebinding And More Packet Tricks at 24C3 (CCC conference 2007)

@@loc4725 this specific exploit, but their have been many and many also still work.

@@loc4725 The browser program runs on your computer and has generally access to your local network. JavaScript code downloaded from a website can access network services available to your computer, bypassing any protection.
When such code wants to access your local filesystem, your microphone or your webcam, the browser asks for permission or pops up a file chooser. Consequently users feel like there is some level of protection of local resources.
On the other hand, the browser just opens connections to private networks without any warning or consent.
This is necessary if you want to access websites on your local network, but then at least you type in the URL with that private address. A public website has no valid reason to access a private network (here I mean non-routed networks and especially 0.0.0.0).
But as it is, any website can access local network services that might not be secured because the local network is often considered safe, because it's behind the firewall.
The only practical way for users would be to only run browsers in well configured and restricted virtual machines. I can do that. Most users don't know what that means.
This is a complete catastrophe. I think this is one of the worst security scandals of all time.
I'm flabbergasted that this is not making the news big time. I'm not even upset at myself that I never thought about this possibility, because I had to assume that if access to the filesystem is restricted, access to private networks must be too.
There is no excuse for this issue.

@@loc4725 Firefox does apparently not restrict JS access to private networks. Google did, but left out 0.0.0.0. Mozilla is aware of this issue since 18 years.
Even if it was as you said, and only machines with a local proxy would be affected, this would still be a catastrophe for a large number of users fitting that profile.
A proxy is not the only problem though. Any local service (at least those speaking http) would be affected. Some Electron app that provides full file system access via a tcp port would count. If that works, maybe file:///etc/passwd works too?
The problem is this: The base assumption of the web is, that a server delivers data to the client. The client requests data or uploads data with the user's consent. When the server can read my files, connect to network services, use my microphone or camera while I am not publishing these data sources without any protection on the internet, then the server is using malware. Firefox then becomes malware.

Except that this vulnerability is older than a quarter of the people watching this video.

​@@GSBarlev I doubt the audience here is so young on average.

@@SystemAlchemist biggest audience is 25 to 34

Notice how the list they have for 'Private Network Access' does NOT include enough IPv6 addresses to be complete.

When setting a route it's the /0 that matters. You could use 0.0.0.0 or 123.123.123.123 or 123.45.67.89 and the behavior is the same, because /0 means ignore the address and route everything

@@robmckennie4203 /0 can only go with 0.0.0.0 if validation is written correctly as 0.0.0.0 is only possible id ip for subnet of all possible ips by standard

​@@robmckennie4203no, myhost/0 means host "myhost" specifically (1 host) on any network (/0), or explicitly network "0".
On the other hand 0.0.0.0/0 means any host (0.0.0.0 as a wildcard) on any network (/0 as a wildcard for any mask).
They may seem similar but any non 0.0.0.0 in the address will limit to that host/ip specifically, while all zeros will mean any host IP in place of the 0s.

Got to make up for the ones I missed

@@BrodieRobertson No you don't :) 0.0.0 is the same as 0.0.0.0, just like 0.0 or just 0. IPv4 notation doesn't require all 4 octets to be given.

@@christophsarnowski9849 yeah but 127.888.888.888 is funnier than 127

@@christophsarnowski9849 I wonder if the developers fixing this bug actually know

Yeh, maybe there should be a way of fine tuning this, yet without opening the security hole for hostile websites. Perhaps a custom local IP address which is communicated to the website so it knows how to refer to those services.

maybe as a permission that can be granted to the website?

@@Interpause It's not up to us. The great Google decides all.
My point is that PNA is a Trojan horse.

That sounds like a poor implementation. Could you provide a concrete example?

@@Lord_zeel postman's now default web version uses a local server to make requests it otherwise cant under browser restrictions

And series of those crying laughing emoji. In my entire life I have never seen content containing chains of that emoji that was not a waste of bandwidth.

@@SaHaRaSquad In my social media reading experience, commonly they are taunts, but some may be sympathy expressions.

Limited use, as they can morph, but better than nothing perhaps.

The problem with that, is that some web browsers will twist what you said, so that ALL telemetry is sent, just for the sole excuse of "YoUr SaFetY And MuH ProduCt!".
Just look at google. They got a lawsuit filed against them, and lost, because they lied when they said they aren't a monopoly, when they clearly are.
With today's age where privacy is getting reduced more and more into a atom, some companies will try everything they can to squeeze out that last bit of privacy, and sell ALL of the remaining user private data, to some 3rd party entity somewhere located in china, india, etc.
The ONLY telemetry they should send, should be EXTREMELY limited, or NONE at all. None is preferable, but, if not, it should be extremely limited.

Wouldn't those configurations tools be running locally?

Use a VPN, don't open up remote access, ever
Signed,
The world

@@StephenMcGregor1986 This isn't at all about remote access, it's local access by an unauthorized party (the website). You could even say it's the reverse, since people will focus so much on preventing remote access (using VPN and such), so they forget local access isn't trusted per se either.

@@BrodieRobertson This is about the backend running locally, but the frontend being on a website. It is certainly a valid use case, and ideally PNA would be behind a permission, not blocked outright for it to still be possible.

​@@GrzesiekJedenastkaThe only use case for this is development. Is it possible to bypass this? Yes, Chromium has some command-line flags that can do it. But they should not be enabled by default. Secondly, developer should not be an idiot and be implementing things in that fashion -- they should put the FE and BE on the same system (ex. localhost), or on a trusted internal domain and use CORS appropriately. External Internet facing website referencing localhost = bad bad bad.

Not really. It's hard to do anything with IPP without allowed CORS, and the only thing you get by exploiting it is the ability to waste someone's ink.

@@GrzesiekJedenastka i disagree, hence, i always `apt autopurge -y cups-browsed`

Just use the elinks browser 🤣

Try Gemini - it's the new and nicer Gopher.

Use gemini

@@happygofishing Both good.

@@OsvaldoGago Nah, I want away from www browsers.

only if http servers running on your host system aren’t secure. if they are written with the same security measures as public sites, this is not a problem, but because some devs incorrectly believe local-only sites inherently have authentication as you cannot access them without already being connected to the network (ignoring that other websites could have client-side requests to these private services) they skip the security measures that exist to stop these exact issues

this would work only IF IF servers dont have any CORS logic

@@bigpod CORS cannot apply to the first request, that's the point of PNA, unfortunately they missed 0.0.0.0 in PNA. (It's only a 15min video, is actually watching it really to big of an ask?)

Yes.

It's a teary eyed tier. Very emotional.

You misunderstood the video, their are many uses for the 4 zeros address, some point out to the internet like the default route, but the one used here, actually points to localhost, the service doesn't need to listen on all ports, the 4 zeros address will just point to localhost directly (!)

@@autohmae I didn't miss it, actually. I was just pointing out the most common usage of it that i've seen that wasn't mentioned in the video.

@@coladict ahh ok

Incredibly rare Windows W

Yes, I was thinking the same for IPv6. I think you underestimate how many things can be loaded from other domains, hosts, etc.

CORS relies on the response

@@BrodieRobertson yes but why would those servers respond to Cors if they don’t want to be reachable

@@nobodyimportant7804 Because of 0.0.0.0 Day exploit ?

Just went to 0.0.0.0:631, it gave me a "bad request" instead of a "server not found". In other words... I'm vulnerable. (:

@@nobodyimportant7804 No one owes you the rudimentary knowledge to set up a firewall, alright! Such entitlement! Jeez!!!

@@waltherstolzing9719that was unnecessary

@@swagmuffin9000 I mean I did forget to add the '/s' ... so I suppose *that* was 'necessary'.

These kinds of bugs and issues come up every couple of years, for decades now.

0.0.0.0 reason not to fix it

@@MNbenMN good one lol.

I did some testing and 0.0.0.0 seems to be translated to 127.0.0.1 before it even enters the firewall part of the network stack. So no blocking 0.0.0.0 will not do anything.

it's not a miracle, because it's been going on for decades, at least 1 exploit/security fix was so old, it got re-introduced (security fix removed).
You might want to check your DNS for 'rebinding' attacks, for example in Unbound, it's the private-address option

No I literally can't configure the gateway, it's locked out of port triggering, wifi radio on/off toggle, and the Xfinity app is a turd that instantly errors out on anything port forward or DMZ related. These options have been chipped AWAY from the user/admin for years and this trash has taken over 100%. No bueno.

Windows not being vulnerable has nothing to do with a firewall blocking access to the attack vector. This vector _doesn't exist_ on Windows (nor on FreeBSD) so the attack isn't _possible._
That's not to claim that Windows is more secure than Linux - or less secure - only that it's immune to _this specific vulnerability._

That's not what's being talked about, the issue isn't where the site is hosted. If someone connects to your website and then you try to connect to the users localhost that's where the problem is

@@BrodieRobertson I think they meant that they self hosted a website on their main box, and not a dedicated server box? At least that's how I read it. In that case, wouldn't browsing the web on the same machine make that website vulnerable if there are extra endpoints you can only hit from local host? I've done similar things as I used to not be able to afford having 2 separate machines to isolate boxes properly. Or am I completely misunderstanding this?

Game servers are another example of this which you may be running and only intending to open to LAN or VLAN

@@BrodieRobertson I meant exactly what @Firestar-rm8df said. Sorry if that wasn't clear enough. It was in response to your (admittedly rhetorical) question at 9:26 "... under what situation would a random person just be running an HTTP server?" My point was that it was once quite common and I doubt I'm the only one who actually was doing so until fairly recently. I had been self-hosting sites practically since the first domain registrar opened their doors, though, so maybe I'm just a maverick.

​@@BrodieRobertson I meant exactly what Firestar said. Sorry if I wasn't clear enough. This was in response to your (admittedly rhetorical) question "... under what situation would a random person just be running an HTTP server?" My point was that it was once quite common and I doubt I'm the only one who'd been doing so until fairly recently. I've been self-hosting websites almost since the first domain registrar opened their doors, though, so maybe I'm just a maverick.

I frogot

@@BrodieRobertson understandable. ribbit.

If only that was true

It means many things

@BrodieRobertson read in the Game of Thrones "It is known" voice, it's hilarious. 🤭

problem is that so many services nowdays still either run with cors disabled not implemented or jsut simply allowing everything

@@bigpod cors is on by default- but even though the client side code cant see the response, the request is still sent. the solution to this is preflight requests, which make a separate request with the “OPTIONS” http method which essentially asks the server if a request should be allowed to be made. this is still only done on some requests though, and notably some POST requests are still allowed to be sent without preflight, which can be a problem

A local server should just have the website on it in the first place. Using an external web server to access something on your *local* network is a recipe for anti-consumer behavior, those products shouldn't even be purchased let alone used.

@@chlorobyte their are lots of legitimate use cases, Dell and Lenovo uses something called a 'service bridge'.

The ps4 can be jail broken, as long as it has a web browser, however, you will loose access to the PSN servers at that point, because sony detected that your console was jailbroken. (this was a similar issue with PS2's, which is why they added the DNAS servers, which, were shut down at around 2009 or 2010 i believe. It was basically a sort of authenticator, to see if your console was tampered in anyway, and if so, it'd prevent you from playing online. However, since the authentication servers were shut down a long time ago, there's no way to play online, officially. Well... unofficially, it is possible, since there are ways to bypass the DNAS check, but you get my point)
It might be possible to jailbreak it via USB ports, but im not sure.
What i know, is that the ps5 doesn't have a web browser, unlike the other ones, meaning it can't be jailbroken.

It is very noughty.

@@SeekingTheLoveThatGodMeans7648 But to quote the Aero Bar advert "it's the bubbles of nothing that make it really something.".

What are you going to use to make this comment

​@csongorszecska im not them, but i think they might mean "just use an ai for info (like chatgpt or gemini) and apps for the rest.
Which im gonna say to them:
1) Good job, now all info is dependent on an LLM system that needs to be constantly updated, consumes alot of power, and is thrive for explotaitation by how they work to get that info and right now are prone to imagining stuff that doesnt exist
2) Apps can be exploited just as much by this potentially.
So yea, bloody stupid

Tell me you didn't watch the video without telling me you didn't watch the video.

CORS will block the response but not the request being sent

@@BrodieRobertson and honestly thats not browsers fault if your service is kinda trash and doesnt check early enough for CORS violationt in the pipeline

@@bigpod this is inherent to CORS

​@@bigpodHow exactly would a service prevent a request from being sent before it receives the request? If you figure that out, the next application of the technology would be to report next week's lottery numbers today