Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
0.0.0.0 Day Vulnerability
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 8:24 am    Post subject: 0.0.0.0 Day Vulnerability Reply with quote

Oligo's article

Thoughts?
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 8:51 am    Post subject: Reply with quote

It's a very very long article for what looks like a nothing-burger, so here's a question to someone who already read it all and understood:
Can it be used to leak information from local network to the outside world, or can it only show local information to a user who already has access to them?
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 8:57 am    Post subject: Reply with quote

szatox wrote:
to someone who already read it all and understood:
Can it be used to leak information from local network to the outside world...?

As far as I understood, yes, and the main prerequisites are the ports listening to HTTP requests on one's 0.0.0.0 address.
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
BurningMemory
n00b
n00b


Joined: 17 Jan 2023
Posts: 54

PostPosted: Sat Aug 10, 2024 9:33 am    Post subject: Reply with quote

well, it is nothing new. for now it's just best to follow general advice such as:
- don't visit unknown websites, unless you really know what you're doing.
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 9:43 am    Post subject: Reply with quote

BurningMemory wrote:
well, it is nothing new

That new (actual) is:

Quote:
we needed the service to have an HTTP route that could write, tweak, or modify files and configurations. Again, we were spoiled for choice: real-world applications have many endpoints, and local services do make those security compromises, which is great news—for attackers.

_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 9:44 am    Post subject: Reply with quote

I see. Man, this thing is painful to read, talking about everything except THE thing for 3/4 of the whole article. Like, just get to the point already....

Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid.
It is not browser-specific, here's a captured call made with nc

Quote:
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:31:49.464980 IP (tos 0x0, ttl 64, id 65282, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.58338 > 127.0.0.1.80: Flags [S], cksum 0xfe30 (incorrect -> 0xce44), seq 3407055682, win 33280, options [mss 65495,sackOK,TS val 2428056658 ecr 0,nop,wscale 7], length 0


And I actually agree it's neither a bug nor a feature of the browser. More like an undesired consequence of otherwise useful thing; something that needs to be understood to be used properly.
Just like a knife. With a good one, you can easily make yourself a sandwich, or cut your finger off. With a bad one, both of those are feats of strength.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 9:51 am    Post subject: Reply with quote

szatox wrote:
Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid.

It is not invalid. Try
Code:
ss -ltu | grep 0.0.0.0


szatox wrote:
I actually agree it's neither a bug nor a feature of the browser

Yeah...

BurningMemory wrote:
general advice such as:
- don't visit unknown websites, unless you really know what you're doing

From that point of view ^^ (not a bug of browser), I would say:
- don't launch unknown applications on localhost...
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
Goverp
Advocate
Advocate


Joined: 07 Mar 2007
Posts: 2175

PostPosted: Sat Aug 10, 2024 10:30 am    Post subject: Reply with quote

I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address.
_________________
Greybeard
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 10:39 am    Post subject: Reply with quote

Goverp wrote:
I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address.

A good question!

I found this explanation:
Quote:
In TCP/IP networking, 0.0.0.0 as an IP address means "any" or "anywhere"


It could be tested adding
Code:
iptables -A INPUT -d 0.0.0.0 -j DROP

before
Code:
iptables -A INPUT -i lo -j ACCEPT


I am not ready to make this test on my running machine right now 8)
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 10:49 am    Post subject: Reply with quote

halcon wrote:
szatox wrote:
Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid.

It is not invalid. Try
Code:
ss -ltu | grep 0.0.0.0

Bad example.
0.0.0.0 basically means the IP is not bound in advance, so the interface's IP should be used instead.
When receiving, it should match destination IP with the interface it arrived on (unless you have I routing enabled in kernel), when sending it should use outgoing interface's IP as the source.

Since in the routing table 0.0.0.0 refers to "default", it would kinda make sense to use the default interface's IP as the source, but then should be dropped on its way back, because the destination doesn't match.
0.0.0.0 is often suggested as a blackhole address. It makes sense for it to be a blackhole address. It does not make sense for it to be transparently updated to 127.0.0.1.


Quote:
iptables -A INPUT -d 0.0.0.0 -j DROP
Did you test it?
This idea doesn't match what my tcpdump showed
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 10:56 am    Post subject: Reply with quote

szatox wrote:
Bad example.
0.0.0.0 basically means the IP is not bound in advance, so the interface's IP should be used instead.

Okay, thanks for the correction. So, here is, roughly, the same logic as for firewalls discussed above.

szatox wrote:
Did you test it?

No, as I said:

halcon wrote:
I am not ready to make this test on my running machine right now

_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5084
Location: Bavaria

PostPosted: Sat Aug 10, 2024 12:10 pm    Post subject: Reply with quote

halcon wrote:
Goverp wrote:
I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address.

A good question!

I found this explanation:
Quote:
In TCP/IP networking, 0.0.0.0 as an IP address means "any" or "anywhere"


It could be tested adding
Code:
iptables -A INPUT -d 0.0.0.0 -j DROP

before
Code:
iptables -A INPUT -i lo -j ACCEPT


I am not ready to make this test on my running machine right now 8)

This does not work. Please see before the picture of iptables-flowchart: https://forums.gentoo.org/viewtopic-p-8835348.html#8835348
(and my explanation why an "outgoing packet" can also become an "incoming packet")

To protect you against this kind of errror:

0. Surf without javascript == best and safest method ! ... or if you must use it:

1. You MUST also filter outgoing traffic with iptables/nftables ... allowing only safe connections.
2. Do not use a browser on a machine that provides services (=server)
3. If you have services running on your machine THEN protect them with SELinux or AppArmor (I do AA) ... for example:
Code:
$ ss -nltuw | grep 0.0.0.0
udp   UNCONN 0      0          127.0.0.1:53        0.0.0.0:*   
tcp   LISTEN 0      0          127.0.0.1:8118      0.0.0.0:*   
tcp   LISTEN 0      0          127.0.0.1:53        0.0.0.0:*

I am running a local dns-resolver (unbound) listening on port 53 and a web proxy (privoxy) listening on port 8118 ... both are protected with AA (and of course I filter every packet).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 12:28 pm    Post subject: Reply with quote

pietinger,

Thanks for your reply. Many things to think of :roll:

During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated?
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 5:25 pm    Post subject: Reply with quote

Quote:
During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated?
Yes, and that's exactly the thing I pointed out as the oddity I can't understand. Blocking 0.0.0.0 on firewall won't work because those packets are never sent with 0.0.0.0 address anywhere.

Quote:
To protect you against this kind of errror:
Actually, I think a viable solution to a lot of those problems has always been baked in linux kernel, we're just not using it properly.
Multiple user accounts.

Nowadays there are namespaces too, but they would probably isolate too much and could easily become a usability issue instead of security boost.
Stuff like web browser could run on a different user though and be prohibited from accessing local services and users' files and so on.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5084
Location: Bavaria

PostPosted: Sat Aug 10, 2024 6:12 pm    Post subject: Reply with quote

szatox wrote:
[...] Multiple user accounts.

Nowadays there are namespaces too, [...]

Yes. But I am a fan of physical separation. Never run a webbrowser on a server machine (I am even an advocate of the idea that not even a DE or WM should be installed on a server).

Dont run any services on a desktop machine (except harmless).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22612

PostPosted: Sat Aug 10, 2024 6:24 pm    Post subject: Reply with quote

I don't think using separate Linux user IDs helps here, since the problem is that the browser permits JavaScript to make a network connection to a destination that ought to be denied. Once connected, you are dependent on whether the peer is sufficiently strict in its formatting requirements and authentication checks that it rejects the payload picked by JavaScript. As alleged in the original piece, some peers use "running on localhost" as a sufficient authentication condition, and will readily obey anything that is able to connect to them, with no further validation.

A network namespace should help though, since each namespace gets its own network stack, and a service listening to localhost on the main namespace is not visible in a different namespace:
Code:
# in main, shell 1
$ socat - tcp4-l:6892,reuseaddr
# in main, shell 2
echo main | socat - tcp4:0:6892
# in main, shell 1, socat prints "main", and exits
Code:
# in main, shell 1
$ socat - tcp4-l:6892,reuseaddr
# in main, shell 2
$ unshare --net -- /bin/sh -c 'echo alt | socat - tcp4:0:6892'
socat[30176] E connect(5, AF=2 0.0.0.0:6892, 16): Network is unreachable
# in main, shell 1, socat is still sitting, and has seen nothing
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 8:30 pm    Post subject: Reply with quote

Quote:
I don't think using separate Linux user IDs helps here, since the problem is that the browser permits JavaScript to make a network connection to a destination that ought to be denied
Iptables can match packets on the process which created them (and also marking connections, to catch responses too), so running certain applications as different users would actually allow blocking crosstalk.
I've been using this trick for limiting portage's download speed, so it wouldn't hog all my bandwidth.

Quote:
But I am a fan of physical separation. Never run a webbrowser on a server machine
Sure, physical separation is good, but unfortunately not always feasible.
Browsers are not the only programs which could run in somewhat restricted environments, and servers are not the only machines with stuff we'd like to keep safe. And virtual machines for everything add overhead and fatigue from juggling them.
This stuff is a bit like backup: if it's not automatic, it probably won't run.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 10:22 pm    Post subject: Reply with quote

"I am a fan" of a minimalistic system and my kernel does not include namespaces :)

Separate Linux user IDs - I did not try that approach, exactly IDs, but I did try different groups and corresponding iptables rules for them (e.g., so I restrict wine programs from accessing internet). Could it be used here too?
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sat Aug 10, 2024 10:38 pm    Post subject: Reply with quote

szatox wrote:
Quote:
During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated?
Yes, and that's exactly the thing I pointed out as the oddity I can't understand.

My wild guess, it could be done at the stage when 0.0.0.0 is being translated to the proper interface's IP?
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3413

PostPosted: Sat Aug 10, 2024 11:09 pm    Post subject: Reply with quote

Quote:
My wild guess, it could be done at the stage when 0.0.0.0 is being translated to the proper interface's IP?
Why not try to send out out to the internet via eth0 (the one with default gateway) instead of lo? 0.0.0.0 is outside of allowed range 127.0.0.0/8. Also, eth0 should not loop it back, since destination address 0.0.0.0 doesn't match any configured IP.
That's the thing, I can't see any place where it this change would be in line with other behaviors of network stack I know. Right now my best guess is that it is special-cased somewhere, yet I don't understand why would anyone actually want that.

BTW, back in the days before iproute2, when ifconfig was THE tool for configuring network interfaces, setting interface IP to 0.0.0.0 would remove IP from the interface.
Which makes sense, when 0.0.0.0 means "nobody" and 255.255.255.255 "anybody"
Notably, DHCP follows this convention too, with lease request using 0.0.0.0 as the source IP and 255.255.255.255 as destination. This doesn't get confined to loopback and localhost.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Sun Aug 11, 2024 8:40 am    Post subject: Reply with quote

Code:
grep -r '0\.0\.0\.0' /usr/src/linux 2>/dev/null

The output

Other than documentation and tests, there are 40 matches only :D

Without comments, even less!

EDIT
I suspect the file /usr/src/linux/net/ipv4/inet_connection_sock.c, 2 calls of the static bool ipv4_rcv_saddr_equal

EDIT2
These 2 lines are setting match_sk1_wildcard as true, one of them - also match_sk2_wildcard:

Code:
return ipv4_rcv_saddr_equal(tb->fast_rcv_saddr, sk->sk_rcv_saddr,
                ipv6_only_sock(sk), true, false);

Code:
if (inet_rcv_saddr_equal(sk, sk2, true))

_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum