https://github.com/purplelemons-dev/0000exploit

https://github.com/purplelemons-dev/0000exploit

Last synced: 4 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/purplelemons-dev/0000exploit
• Owner: purplelemons-dev
• License: gpl-3.0
• Created: 2024-08-11T00:18:42.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-08-11T00:23:28.000Z (almost 2 years ago)
• Last Synced: 2026-02-14T05:06:46.696Z (4 months ago)
• Language: HTML
• Size: 16.6 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# “0.0.0.0-Day” Vulnerability Affects Chrome, Safari and Firefox

**Date Published**: August 9, 2024

https://www.helpnetsecurity.com/2024/08/09/0-0-0-0-day-vulnerability-affects-chrome-safari-and-firefox/

## Excerpt

A “0.0.0.0-Day” vulnerability affecting Chrome, Safari and Firefox can be – and has been – exploited by attackers to gain access to services on internal networks, Oligo Security researchers have revealed. The vulnerability stems from how those popular browsers handle network requests from external, public websites, and may allow attackers to change settings, gain access to protected information, uploading malicious models, or even achieve remote code execution. Attacks abusing it can succeed on vulnerable browsers on macOS and Linux, but not on Windows since it blocks the 0.0.0.0 IPv4 address. 0.0.0.0-Day allows a malicious website to send off (via JavaScript) a request to the 0.0.0.0 IPv4 address and a specific port, and a vulnerable browser will forward that request to a service running on that port on the host (on the local network). “As a result, the seemingly innocuous IP address, 0.0.0.0, can become a powerful tool for attackers to exploit local services, including those used for development, operating systems, and even internal networks,” the researchers noted. Their search for vulnerable local applications revealed several. Browsers’ CORS (Cross Origin Resource Sharing) protections protects against cross-site request forgery (CSRF) attacks, “but its performance depends on the response content, so requests are still made and can still be sent,” the researchers noted. “Opaque requests can be dispatched in mode ‘no-cors’ and reach the server successfully—if we don’t care about the responses.” The Private Network Access (PNA) specification makes a distinction between public, private, and local networks, and prevents pages loaded under a less-secure context (public network) from communicating with more-secure contexts (private network, local device), but it does not work when the request is sent to the 0.0.0.0 address.