Cybersecurity experts have uncovered a new “0.0.0.0 Day” vulnerability that threatens all major web browsers, allowing malicious websites to potentially infiltrate local networks.
According to Avi Lumelsky, a researcher at Oligo Security, this critical flaw “reveals a fundamental weakness in how browsers manage network requests, possibly giving attackers access to sensitive services on local devices.”
The Israeli application security firm noted that the vulnerability’s impact is widespread, rooted in the inconsistent application of security protocols and the lack of standardization among different browsers.
This flaw could enable the seemingly benign IP address 0.0.0.0 to be exploited, allowing attackers to gain unauthorized access and execute remote code on devices within the network. The vulnerability has reportedly existed since 2006.
Google Chrome/Chromium, Mozilla Firefox, and Apple Safari are all affected, permitting external websites to interact with software running locally on MacOS and Linux. Microsoft Windows devices are not impacted, as the operating system blocks the 0.0.0.0 IP address.
Oligo Security particularly discovered that public websites with “.com” domains can interact with local network services and execute arbitrary code on the host device by using the 0.0.0.0 address instead of localhost/127.0.0.1.
This issue also circumvents Private Network Access (PNA), which is intended to prevent public websites from accessing private network endpoints.
Any application accessible via 0.0.0.0 is vulnerable to remote code execution, including local Selenium Grid instances, through a crafted POST request sent to 0.0.0[.]0:4444.
In essence, a malicious web page could send requests to 0.0.0.0 and a specific port, which could be processed by local services on that port, leading to unintended consequences.
In response, browsers are expected to block access to 0.0.0.0 by April 2024, ending direct access to private network endpoints from public websites.
“When services use localhost, they operate under the assumption of a controlled environment,” Lumelsky explained. “This assumption, which can be flawed as shown by this vulnerability, leads to insecure server implementations.”
“By using 0.0.0.0 with ‘no-cors‘ mode, attackers can leverage public domains to attack services on localhost, potentially achieving arbitrary code execution (RCE) with a single HTTP request.”
Source: TheHackerNews