0.0.0.0 Day - 18 Yr Old Vulnerability Let Attackers Bypass All Browser Security

Comments

• dan@upvote.au ⁨8⁩ ⁨months⁩ ago

  Seems like a TCP/IP stack issue rather than a browser issue… 0.0.0.0 is not supposed to be a valid address. The network stack should be dropping those packets.

  source

  • drwho@beehaw.org ⁨8⁩ ⁨months⁩ ago

    I’m inclined to agree. This looks like a misunderstanding of RFC 5735.

    source

    • dan@upvote.au ⁨8⁩ ⁨months⁩ ago

      which was based on RFC 1122, which states:

                  We now summarize the important special cases for Class A, B,
                  and C IP addresses, using the following notation for an IP
                  address:
      
                      { <Network-number>, <Host-number> }
      
                  or
                      { <Network-number>, <Subnet-number>, <Host-number> }
      
                  and the notation "-1" for a field that contains all 1 bits.
                  This notation is not intended to imply that the 1-bits in an
                  address mask need be contiguous.
      ...
                  (a)  { 0, 0 }
      
                       This host on this network.  MUST NOT be sent, except as
                       a source address as part of an initialization procedure
                       by which the host learns its own IP address.
      
                       See also Section 3.3.6 for a non-standard use of {0,0}.
      

      (section 3.3.6 just talks about broadcasts)

      source

      • -> View More Comments
  • AndrasKrigare@beehaw.org ⁨8⁩ ⁨months⁩ ago

    Yeah, I just did a quick test in Python to do a tcp connection to “0.0.0.0” and it made a loopback connection, instead of returning an error as I would have expected.

    source
  • TehPers@beehaw.org ⁨8⁩ ⁨months⁩ ago

    While I agree, it makes connecting to localhost as easy as http://0:8080/ (for port 8080, but omit for port 80)

    source

    • dan@upvote.au ⁨8⁩ ⁨months⁩ ago

      it makes connecting to localhost as easy as http://0:8080/ (for port 8080, but omit for port 80).

      The thing is that it’s not supposed to work, so it’s essentially relying N undefined behaviour. Typing [::1]:8080 is nearly as easy.

      skimming through these PRs, at least for WebKit, I don’t see tests for shorthand IPs like 0 (and no Apple device to test with). What are the chances they missed those…?

      I haven’t seen the PRs, but IP comparison should really be using the binary form of the IPv4 address (a 32-bit number), not the human-friendly form.

      source
• tyler@programming.dev ⁨8⁩ ⁨months⁩ ago

  The article literally doesn’t explain the vulnerability at all.

  source

  • floofloof@lemmy.ca ⁨8⁩ ⁨months⁩ ago

    It keeps promising to, then goes off into more ChatGPT-style rambling. It’s a bad article.

    source

    • Kissaki@beehaw.org ⁨8⁩ ⁨months⁩ ago

      notably

      Windows is not impacted by this issue.

      source
  • biscuitswalrus@aussie.zone ⁨8⁩ ⁨months⁩ ago

    I ended up reading it on bleeping computer since the linked site looks like an auto tldr bot saved 50% of the words. The important 50% was discarded.

    bleepingcomputer.com/…/18-year-old-security-flaw-…

    source
  • drwho@beehaw.org ⁨8⁩ ⁨months⁩ ago

    Everybody who could explain it well is at Hacker Summer Camp right now.

    source

    • unconfirmedsourcesDOTgov@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago

      I didn’t realize DEFCON was this weekend already, but this is a solid point 😂

      source
• Boomkop3@reddthat.com ⁨8⁩ ⁨months⁩ ago

  Welp, I guess sandboxing a browser that has a sandbox might still be a good idea

  source
• sirico@feddit.uk ⁨8⁩ ⁨months⁩ ago

  hunter2 Wow it works!

  source
• ssm@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago

  Another big win for links2gang !links2@lemmy.sdf.org

  source