View previous topic :: View next topic |
Author |
Message |
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 8:24 am Post subject: 0.0.0.0 Day Vulnerability |
|
|
Oligo's article
Thoughts? _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 8:51 am Post subject: |
|
|
It's a very very long article for what looks like a nothing-burger, so here's a question to someone who already read it all and understood:
Can it be used to leak information from local network to the outside world, or can it only show local information to a user who already has access to them? _________________ Make Computing Fun Again |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 8:57 am Post subject: |
|
|
szatox wrote: | to someone who already read it all and understood:
Can it be used to leak information from local network to the outside world...? |
As far as I understood, yes, and the main prerequisites are the ports listening to HTTP requests on one's 0.0.0.0 address. _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
BurningMemory n00b
Joined: 17 Jan 2023 Posts: 54
|
Posted: Sat Aug 10, 2024 9:33 am Post subject: |
|
|
well, it is nothing new. for now it's just best to follow general advice such as:
- don't visit unknown websites, unless you really know what you're doing. |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 9:43 am Post subject: |
|
|
BurningMemory wrote: | well, it is nothing new |
That new (actual) is:
Quote: | we needed the service to have an HTTP route that could write, tweak, or modify files and configurations. Again, we were spoiled for choice: real-world applications have many endpoints, and local services do make those security compromises, which is great news—for attackers. |
_________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 9:44 am Post subject: |
|
|
I see. Man, this thing is painful to read, talking about everything except THE thing for 3/4 of the whole article. Like, just get to the point already....
Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid.
It is not browser-specific, here's a captured call made with nc
Quote: | tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:31:49.464980 IP (tos 0x0, ttl 64, id 65282, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.58338 > 127.0.0.1.80: Flags [S], cksum 0xfe30 (incorrect -> 0xce44), seq 3407055682, win 33280, options [mss 65495,sackOK,TS val 2428056658 ecr 0,nop,wscale 7], length 0
|
And I actually agree it's neither a bug nor a feature of the browser. More like an undesired consequence of otherwise useful thing; something that needs to be understood to be used properly.
Just like a knife. With a good one, you can easily make yourself a sandwich, or cut your finger off. With a bad one, both of those are feats of strength. _________________ Make Computing Fun Again |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 9:51 am Post subject: |
|
|
szatox wrote: | Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid. |
It is not invalid. Try
Code: | ss -ltu | grep 0.0.0.0 |
szatox wrote: | I actually agree it's neither a bug nor a feature of the browser |
Yeah...
BurningMemory wrote: | general advice such as:
- don't visit unknown websites, unless you really know what you're doing |
From that point of view ^^ (not a bug of browser), I would say:
- don't launch unknown applications on localhost... _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2191
|
Posted: Sat Aug 10, 2024 10:30 am Post subject: |
|
|
I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address. _________________ Greybeard |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 10:39 am Post subject: |
|
|
Goverp wrote: | I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address. |
A good question!
I found this explanation:
It could be tested adding
Code: | iptables -A INPUT -d 0.0.0.0 -j DROP |
before
Code: | iptables -A INPUT -i lo -j ACCEPT |
I am not ready to make this test on my running machine right now _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 10:49 am Post subject: |
|
|
halcon wrote: | szatox wrote: | Ok, so the one thing that doesn't make sense to me is why 0.0.0.0 is being changed to 127.0.0.1 instead of just failing as invalid. |
It is not invalid. Try
Code: | ss -ltu | grep 0.0.0.0 |
| Bad example.
0.0.0.0 basically means the IP is not bound in advance, so the interface's IP should be used instead.
When receiving, it should match destination IP with the interface it arrived on (unless you have I routing enabled in kernel), when sending it should use outgoing interface's IP as the source.
Since in the routing table 0.0.0.0 refers to "default", it would kinda make sense to use the default interface's IP as the source, but then should be dropped on its way back, because the destination doesn't match.
0.0.0.0 is often suggested as a blackhole address. It makes sense for it to be a blackhole address. It does not make sense for it to be transparently updated to 127.0.0.1.
Quote: | iptables -A INPUT -d 0.0.0.0 -j DROP | Did you test it?
This idea doesn't match what my tcpdump showed _________________ Make Computing Fun Again |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 10:56 am Post subject: |
|
|
szatox wrote: | Bad example.
0.0.0.0 basically means the IP is not bound in advance, so the interface's IP should be used instead. |
Okay, thanks for the correction. So, here is, roughly, the same logic as for firewalls discussed above.
szatox wrote: | Did you test it? |
No, as I said:
halcon wrote: | I am not ready to make this test on my running machine right now |
_________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5277 Location: Bavaria
|
Posted: Sat Aug 10, 2024 12:10 pm Post subject: |
|
|
halcon wrote: | Goverp wrote: | I wonder if this can be blocked by a firewall? Trouble is, and IIUC this is the crux of the issue, 0.0.0.0 to a firewall tends to mean something different to a normal address. |
A good question!
I found this explanation:
It could be tested adding
Code: | iptables -A INPUT -d 0.0.0.0 -j DROP |
before
Code: | iptables -A INPUT -i lo -j ACCEPT |
I am not ready to make this test on my running machine right now |
This does not work. Please see before the picture of iptables-flowchart: https://forums.gentoo.org/viewtopic-p-8835348.html#8835348
(and my explanation why an "outgoing packet" can also become an "incoming packet")
To protect you against this kind of errror:
0. Surf without javascript == best and safest method ! ... or if you must use it:
1. You MUST also filter outgoing traffic with iptables/nftables ... allowing only safe connections.
2. Do not use a browser on a machine that provides services (=server)
3. If you have services running on your machine THEN protect them with SELinux or AppArmor (I do AA) ... for example:
Code: | $ ss -nltuw | grep 0.0.0.0
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:*
tcp LISTEN 0 0 127.0.0.1:8118 0.0.0.0:*
tcp LISTEN 0 0 127.0.0.1:53 0.0.0.0:* |
I am running a local dns-resolver (unbound) listening on port 53 and a web proxy (privoxy) listening on port 8118 ... both are protected with AA (and of course I filter every packet). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 12:28 pm Post subject: |
|
|
pietinger,
Thanks for your reply. Many things to think of
During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated? _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 5:25 pm Post subject: |
|
|
Quote: | During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated? | Yes, and that's exactly the thing I pointed out as the oddity I can't understand. Blocking 0.0.0.0 on firewall won't work because those packets are never sent with 0.0.0.0 address anywhere.
Quote: | To protect you against this kind of errror: | Actually, I think a viable solution to a lot of those problems has always been baked in linux kernel, we're just not using it properly.
Multiple user accounts.
Nowadays there are namespaces too, but they would probably isolate too much and could easily become a usability issue instead of security boost.
Stuff like web browser could run on a different user though and be prohibited from accessing local services and users' files and so on. _________________ Make Computing Fun Again |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5277 Location: Bavaria
|
Posted: Sat Aug 10, 2024 6:12 pm Post subject: |
|
|
szatox wrote: | [...] Multiple user accounts.
Nowadays there are namespaces too, [...] |
Yes. But I am a fan of physical separation. Never run a webbrowser on a server machine (I am even an advocate of the idea that not even a DE or WM should be installed on a server).
Dont run any services on a desktop machine (except harmless). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22925
|
Posted: Sat Aug 10, 2024 6:24 pm Post subject: |
|
|
I don't think using separate Linux user IDs helps here, since the problem is that the browser permits JavaScript to make a network connection to a destination that ought to be denied. Once connected, you are dependent on whether the peer is sufficiently strict in its formatting requirements and authentication checks that it rejects the payload picked by JavaScript. As alleged in the original piece, some peers use "running on localhost" as a sufficient authentication condition, and will readily obey anything that is able to connect to them, with no further validation.
A network namespace should help though, since each namespace gets its own network stack, and a service listening to localhost on the main namespace is not visible in a different namespace: Code: | # in main, shell 1
$ socat - tcp4-l:6892,reuseaddr
# in main, shell 2
echo main | socat - tcp4:0:6892
# in main, shell 1, socat prints "main", and exits |
Code: | # in main, shell 1
$ socat - tcp4-l:6892,reuseaddr
# in main, shell 2
$ unshare --net -- /bin/sh -c 'echo alt | socat - tcp4:0:6892'
socat[30176] E connect(5, AF=2 0.0.0.0:6892, 16): Network is unreachable
# in main, shell 1, socat is still sitting, and has seen nothing |
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 8:30 pm Post subject: |
|
|
Quote: | I don't think using separate Linux user IDs helps here, since the problem is that the browser permits JavaScript to make a network connection to a destination that ought to be denied | Iptables can match packets on the process which created them (and also marking connections, to catch responses too), so running certain applications as different users would actually allow blocking crosstalk.
I've been using this trick for limiting portage's download speed, so it wouldn't hog all my bandwidth.
Quote: | But I am a fan of physical separation. Never run a webbrowser on a server machine | Sure, physical separation is good, but unfortunately not always feasible.
Browsers are not the only programs which could run in somewhat restricted environments, and servers are not the only machines with stuff we'd like to keep safe. And virtual machines for everything add overhead and fatigue from juggling them.
This stuff is a bit like backup: if it's not automatic, it probably won't run. _________________ Make Computing Fun Again |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 10:22 pm Post subject: |
|
|
"I am a fan" of a minimalistic system and my kernel does not include namespaces
Separate Linux user IDs - I did not try that approach, exactly IDs, but I did try different groups and corresponding iptables rules for them (e.g., so I restrict wine programs from accessing internet). Could it be used here too? _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sat Aug 10, 2024 10:38 pm Post subject: |
|
|
szatox wrote: | Quote: | During the 0.0.0.0 Day attack, are there packets "from localhost to localhost" generated? | Yes, and that's exactly the thing I pointed out as the oddity I can't understand. |
My wild guess, it could be done at the stage when 0.0.0.0 is being translated to the proper interface's IP? _________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sat Aug 10, 2024 11:09 pm Post subject: |
|
|
Quote: | My wild guess, it could be done at the stage when 0.0.0.0 is being translated to the proper interface's IP? | Why not try to send out out to the internet via eth0 (the one with default gateway) instead of lo? 0.0.0.0 is outside of allowed range 127.0.0.0/8. Also, eth0 should not loop it back, since destination address 0.0.0.0 doesn't match any configured IP.
That's the thing, I can't see any place where it this change would be in line with other behaviors of network stack I know. Right now my best guess is that it is special-cased somewhere, yet I don't understand why would anyone actually want that.
BTW, back in the days before iproute2, when ifconfig was THE tool for configuring network interfaces, setting interface IP to 0.0.0.0 would remove IP from the interface.
Which makes sense, when 0.0.0.0 means "nobody" and 255.255.255.255 "anybody"
Notably, DHCP follows this convention too, with lease request using 0.0.0.0 as the source IP and 255.255.255.255 as destination. This doesn't get confined to loopback and localhost. _________________ Make Computing Fun Again |
|
Back to top |
|
|
halcon l33t
Joined: 15 Dec 2019 Posts: 649
|
Posted: Sun Aug 11, 2024 8:40 am Post subject: |
|
|
Code: | grep -r '0\.0\.0\.0' /usr/src/linux 2>/dev/null |
The output
Other than documentation and tests, there are 40 matches only
Without comments, even less!
EDIT
I suspect the file /usr/src/linux/net/ipv4/inet_connection_sock.c, 2 calls of the static bool ipv4_rcv_saddr_equal
EDIT2
These 2 lines are setting match_sk1_wildcard as true, one of them - also match_sk2_wildcard:
Code: | return ipv4_rcv_saddr_equal(tb->fast_rcv_saddr, sk->sk_rcv_saddr,
ipv6_only_sock(sk), true, false); |
Code: | if (inet_rcv_saddr_equal(sk, sk2, true)) |
_________________ A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|