18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

Cybersecurity researchers have identified a new vulnerability, dubbed “0.0.0.0 Day,” that affects all major web browsers and could be exploited by malicious websites to compromise local networks.

“This critical flaw reveals a fundamental issue in how browsers handle network requests, potentially allowing attackers to access sensitive services on local devices,” said Avi Lumelsky, a researcher at Oligo Security.

The Israeli application security firm highlighted the wide-reaching implications of this vulnerability, which arise from inconsistent security implementations and a lack of standardization across different browsers.

As a result, an IP address like 0.0.0.0, which may seem harmless, can be weaponized to exploit local services, leading to unauthorized access and remote code execution by attackers outside the network. This loophole has reportedly existed since 2006.

The 0.0.0.0 Day vulnerability affects Google Chrome/Chromium, Mozilla Firefox, and Apple Safari, all of which permit external websites to interact with software running locally on macOS and Linux. However, Windows devices are not affected, as Microsoft blocks the IP address at the operating system level.

Oligo Security discovered that public websites with “.com” domains can communicate with services on the local network and execute arbitrary code on the user’s machine by using the 0.0.0.0 address instead of localhost/127.0.0.1.

This vulnerability also bypasses Private Network Access (PNA), a feature designed to prevent public websites from directly accessing endpoints within private networks.

Any application running on localhost and accessible via 0.0.0.0 may be vulnerable to remote code execution, including local Selenium Grid instances, which can be targeted with a POST request to 0.0.0[.]0:4444 containing a malicious payload.

In simpler terms, the issue allows a malicious web page to send requests to 0.0.0.0 and a chosen port, which could then be processed by services running locally on that port, leading to unintended and potentially harmful outcomes.

In response to these findings, web browsers are expected to block access to 0.0.0.0 starting in April 2024, thereby preventing public websites from directly accessing private network endpoints.

“When services use localhost, they assume a controlled environment,” Lumelsky explained. “This assumption, which can be flawed as demonstrated by this vulnerability, leads to insecure server implementations.”

“By combining 0.0.0.0 with the ‘no-cors’ mode, attackers can use public domains to target services running on localhost and potentially achieve remote code execution (RCE) with just a single HTTP request.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024