Researchers at Oligo Security have discovered an 18-year-old critical vulnerability, dubbed “0.0.0.0 Day,” that affects all major web browsers, including Chromium, Firefox, and Safari.
This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.
The issue stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry.
Specifically, the IP address 0.0.0.0, which is often used as a placeholder or default address, can be exploited by attackers to access local services, including those used for development, operating systems, and even internal networks.
The impact of 0.0.0.0 Day is significant, affecting individuals and organizations alike. With the ability to bypass browser security, attackers can potentially gain access to sensitive services running on local devices, leading to unauthorized access, data breaches, and even remote code execution.
A bug report from 2006 highlights the long-standing issue of browsers allowing requests to be sent to local or internal networks from less-private contexts. Despite numerous comments and reprioritizations, the bug remains open to this day.
The lack of standardization in the browser industry has led to inconsistent implementations of security mechanisms, creating vulnerabilities like 0.0.0.0 Day.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
How Does 0.0.0.0 Day Bypass Browser Security
To understand the vulnerability, it’s essential to understand browser security and the role of IP addresses like 0.0.0.0.
Browsers have always been a security target, introducing groundbreaking security concepts like sandboxing and HTTPS-ONLY cookies.
The IP address 0.0.0.0 has multiple uses, including as a placeholder or default address. However, its use as a destination address in IPv4 is prohibited, and it is only allowed as a source address under specific circumstances.
Despite this, 0.0.0.0 has been used in various contexts, including in /etc/hosts files to block certain domains or in networking policies to allow all IPs.
Digitally “fingerprinting” website users is a known technique used for various purposes, including identifying returning users. However, threat actors can also use this technique to gather intelligence for phishing campaigns.
The use of the 0.0.0.0 Day vulnerability allows attackers to port scan users, potentially leading to the identification of open ports and vulnerable services.
Google’s introduction of Private Network Access (PNA) aims to extend CORS by restricting websites’ ability to send requests to servers on private networks. PNA proposes distinguishing between public, private, and local networks, preventing requests from being sent to more secure contexts.
According to the current PNA specification, the following IP segments are considered private or local:
Researchers at Oligo Security discovered that 0.0.0.0 was not on the list of private or local IP segments, allowing websites to dispatch requests to 0.0.0.0.
Following responsible disclosure, this bypass of the current PNA implementation and inherent flaws in browsers were reported to all browsers.
Many applications are likely to be impacted by the 0.0.0.0 Day vulnerability. Researchers at Oligo Security found several vulnerable applications, including Ray, Selenium Grid, and Pytorch Torchserve (ShellTorch). These vulnerabilities can be leveraged through 0.0.0.0, leading to remote code execution and unauthorized access.
Following responsible disclosure, browser vendors have acknowledged the security flaw and are working to implement browser-level mitigations.
Google Chrome (and Chromium-based browsers like Edge)
- PNA Initiative: Evolving Private Network Access (PNA) led by Google.
- Vulnerability: 0.0.0.0 bypasses PNA, allowing access to private IPs.
- Fix Rollout: Blocking 0.0.0.0 from Chrome 128, fully effective by Chrome 133.
- Statistics: 0.015% of websites (around 100K) communicate with 0.0.0.0.
Apple Safari
- WebKit Changes: Now blocks 0.0.0.0 access.
- Implementation: Requests to all-zero IP addresses are blocked.
Mozilla Firefox
- Current Status: No immediate fix; PNA not initially implemented.
- Specification Update: Fetch specification updated to block 0.0.0.0.
- Future Plans: Implementation of PNA will eventually block 0.0.0.0.
The 0.0.0.0 Day vulnerability highlights the need for browser industry standardization and the implementation of Private Network Access (PNA) according to that standard. Until PNA fully rolls out, public websites can dispatch HTTP requests using Javascript to successfully reach services on the local network, potentially leading to unauthorized access and remote code execution.
Are you from SOC and DFIR Teams? – Analyse Live Malware Incidents with ANY.RUN -> Get 14 Days Free Access