Attackers could use a bug which abuses the IP address 0.0.0.0 to remotely execute code on various web browsers such as Chrome, Safari, Firefox, and others, putting users at risk of data theft, malware, and other malicious activities.

Researchers at open source security company Oligo Security have discovered a way to bypass browser security and communicate with services running on an organization’s local network from outside the network, calling them “0.0.0.0 Day” because of the web address they use.

The vulnerability exists due to “the inconsistent implementation of security mechanisms across browsers, along with a lack of standardization in the browser industry,” according to Avi Lumesky, an Oligo AI security researcher, revealed in a blog post published this week.

Attackers can exploit the flaw to abuse browser localhost application programming interfaces (APIs) to perform various malicious activities.

“This can turn the seemingly innocent IP address 0.0.0.0 into a powerful tool for attackers to abuse local services, including services used for development, operating systems, and even internal networks,” Lumesky wrote.

Breaking the Deficiency

The problem is that browsers for services are designed in such a way that they can send a request to almost any HTTP server via JavaScript. The main job of a browser is to focus on providing the right answer, either by providing a valid response to a request or an error.

While Browsers are generally expected to prevent Since bad or malicious requests could not be processed through their responses, there has been a lack of streamlined security in request processing across browsers since its introduction.

“For a long time, it was unclear how browsers should behave when making requests to local or internal networks from less sensitive contexts,” Lumesky explains in the post.

While most browsers rely on CORS, or Cross-Origin Resource Sharing, a standard that defines a way for client web applications loaded in one domain to communicate with resources in another domain, “their performance depends on the response content, so requests are still being made and requests can still be sent,” Lumesky said.

“This is simply not good enough,” he wrote. “History has shown that a single HTTP request can attack a home router — and if that’s all it takes, any user should be able to prevent that request altogether.”

PNA diversion

Chrome’s introduction of Private Network Access (PNA) — which goes beyond CORS — should in theory protect websites from the 0.0.0.0 day bug. PNA proposes to distinguish between public, private, and local networks, ensuring that “pages loaded in less secure contexts cannot communicate with more secure contexts,” Lumesky wrote.

However, Oligo researchers discovered that website requests sent to 0.0.0.0, which should be blocked under PNA, were actually received and processed by local servers. “This means that public websites can access every open port on your host without the ability to see the response,” Lumesky wrote.

To prove their point, the attackers investigated how ShadowRay, a recent campaign of attacks Researchers found that when targeting AI workloads, it could launch its attack from the browser using 0.0.0.0 as the attack vector.

ShadowRay allowed arbitrary code execution when a private server was inadvertently exposed to the Internet, and remained undiscovered for nearly a year. To prove their concept, Oligo researchers spun up a local Ray cluster on localhost, then spun up a socket listening for new connections to open a reverse shell.

“The victim then clicks on the link in the email, which executes the exploit,” Lumesky explained. “The exploit opens a reverse shell for the attacker on the visitor’s machine.”

The researchers proved the concept within Chromium, Safari, and Firefox to execute ShadowRay from within the browser in “one of what is undoubtedly a vast number of remote code execution attacks made possible by this approach,” Lumesky noted. They also proved the attack via public servers of Selenium Grid and PyTorch TorchServe via previously identified attack campaigns SeleniumGreed and ShellTorch.

Ultimately, the researchers demonstrated how, by using 0.0.0.0 in combination with the “no-cors” mode, attackers can “leverage public domains to attack services running on localhost and even execute arbitrary code, all using a single HTTP request,” Lumeksy explained.

How defenders can soften attacks

Oligo shared the findings with the relevant browser owners, including Google, Apple and Mozilla. They responded by making changes to their browsers to block 0.0.0.0 as a target IP, Oligo said.

While responsible companies work to streamline security standards across all browser offerings, there are other technical measures network administrators can use to thwart attacks via this vector, Lumesky said.

Examples include implementing PNA headers, verifying the HOST header of the network request to protect against DNS rebinding attacks on localhost or 127.0.0.1, and generally distrusting localhost networks simply because they are “local.” “Add a minimal layer of authorization even if you are running on localhost,” he advised.

Network administrators should use HTTPS over HTTP whenever possible and implement CSRF tokens in your applications, even if they are local.