0.0.0.0 Day – 18 Yr Old Vulnerability Allow Attackers to Bypass All Browser Security

Threat actors often target and exploit security flaws in web browsers, as exploiting flaws in web browsers enables them to gain unauthorized access and perform several illicit activities.

Not only that, threat actors also get a wide attack surface with minimal effort by exploiting the security flaws in browsers.

Cybersecurity researchers at Oligo Security’s research team recently discovered 0.0.0.0 day, an 18-year-old vulnerability that enables attackers to bypass all browser security.

Technical Analysis

It’s a major security problem affecting all popular web browsers (Chromium, Firefox, and Safari) that allows external websites to interface with software that is being run locally on macOS and Linux.

The vulnerability known as “ow.night” was caused due to the fact that the security mechanisms were implemented in different ways depending on what browser was used and the lack of any uniform standards in this industry.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

This vulnerability allows malicious websites to bypass browser security and communicate with the organization’s local network services which could lead to unauthorized access by hackers who are outside of its network and remote code execution upon these local services.

Consequently, using a rather harmless 0.0.0.0 IP address, attackers can target the local services for development purposes, and operating systems among others including internal networks.

While this vulnerability was again shown to be urgent by the recent discovery of active campaigns of ShadowRay.

Oligo researchers have shared their findings with the security teams for all major browsers and the browser vendors recognized the security problem.

The 18-year-old bug report, still Open (Source – Oligo)

Related standard modifications are being processed and some browser-level mitigations that will not accept 0.0.0.0 addresses are planned to be activated soon.

However, due to its complexity as well as lack of any finalized standard, this vulnerability still remains under attack in between allowing external websites access services on localhost.

This shows the need for a common browser industry standard that can address this fundamental security flaw and protect users and organizations from potential “0.0.0.0 Day.”

This critical flaw allowed public websites to override browser protections and access local network services, which can result in remote code execution.

At first, the vulnerability was caused by the Private Network Access (PNA) standard, which does not consider 0.0.0.0 as a private IP address.

Relationship between public, private, local networks in Private Network Access (Source – Oligo)

This deletion allowed hackers to use public domains for reaching local resources and, at the same time, skip the restrictions of CORS and exploit flaws in Ray frameworks or Selenium Grid as well as PyTorch TorchServe that were installed on localhost.

The researchers provided an example of unauthorized access and control of these local applications using only one HTTP request showing how essential it is to ensure a comprehensive standardized approach to secure local network access.

It is incredible how their disclosure helped with fixing this vulnerability in various browsers consequently demonstrating how responsible disclosure aids in internet security improvement.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement PNA headers.
  • Verify HOST headers to prevent DNS rebinding.
  • Add authorization layers for localhost.
  • Use HTTPS.
  • Implement CSRF tokens.
  • Remember browsers route to internal IPs.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top five…

15 hours ago

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using spearphishing…

16 hours ago

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to the…

16 hours ago

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection with…

16 hours ago

CapibaraZero Firmware With ESP32-S3 Hardware Enables Low Cost Flipper Zero alternative

The open-source tech landscape continues to innovate, and the release of the CapibaraZero firmware marks…

17 hours ago

Multiple SonicWall Vulnerabilities Let Attackers Execute Remote Code

SonicWall has issued a critical alert regarding multiple vulnerabilities in its Secure Mobile Access (SMA)…

18 hours ago