Author Topic: 0.0.0.0 Day  (Read 435 times)

0 Members and 2 Guests are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 8206
  • Country: de
  • A qualified hobbyist ;)
0.0.0.0 Day
« on: August 09, 2024, 11:48:52 am »
0.0.0.0 Day: Exploiting Localhost APIs From the Browser (https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser)

Affected: all Chromium based browsers, Firefox and Safari running on Linux and MacOS.
The issue is known for 18 years (https://bugzilla.mozilla.org/show_bug.cgi?id=354493). :palm:
 
The following users thanked this post: MK14, spostma

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15581
  • Country: fr
Re: 0.0.0.0 Day
« Reply #1 on: August 09, 2024, 09:51:21 pm »
18 years open, nice job.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1412
  • Country: pl
Re: 0.0.0.0 Day
« Reply #2 on: August 10, 2024, 06:17:57 pm »
Another branded vulnerability receiving much more attention than it should.

It’s a bypass type vulnerability, which can’t be used by itself. Carrying out an attack requires another program, which already contains a serious vulnerability. Improper handling of data arriving at the socket, an authentication bypass or request handling vulnerability, or no authentication at all.

While 0.0.0.0 is kind of special, similar to often overlooked port 0, this is a member of the entire family of issues. Almost all of them not even being bugs and working as intended. A mismatch between how things are meant to work and what programmers and netops did, with browser vendors being expected to fix others’ mistakes to not face FUD.

A thing often missed from “0.0.0.0-day” reports is that UDP services are also potentialy vulnerable due to HTTP/3. The risk is even lower than with TCP services, but can’t be ruled out.
People imagine AI as T1000. What we got so far is glorified T9.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 7313
  • Country: pl
Re: 0.0.0.0 Day
« Reply #3 on: August 10, 2024, 07:20:16 pm »
Yeah, but there is lots of buggy applications out there ::)

Think all the routers with web UIs, for example. I consider it kinda WTF that Mozilla doesn't see cross-site requests to 192.168.0.0/16 as a problem.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf