brave-browser icon indicating copy to clipboard operation
brave-browser copied to clipboard

Published 20 hours ago verified publisher icon brave

Block outside access to localhost

Open Earthw0rmJ1m opened this issue 1 year ago • 5 comments

Platforms

all

Description

0.0.0.0 Day

This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.

Links: https://vulcan.io/blog/0-0-0-0-day https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

  • Tor Browser blocks outside access to localhost https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31065

  • uBlockOrigin includes Block Outsider Intrusion into LAN in filter list https://github.com/uBlockOrigin/uAssets/blob/master/filters/lan-block.txt https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/lan-block.txt

Brave adblock lists

(lan-block is not included)

Could the lan-block be included with brave-sheilds list and enabled by default till chrome patches it in Chromium 128

Chrome is blocking access to 0.0.0.0 (Finch Rollout) starting with Chromium 128. Google will gradually roll out this change over the next few releases, completing it by Chrome 133, at which point the IP address will be blocked completely to all Chrome and Chromium users.

Earthw0rmJ1m avatar Aug 12 '24 05:08 Earthw0rmJ1m

Isn't this already disabled or related to this issue or no?

Services & Features We Disable Entirely

https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#services--features-we-disable-entirely

Hyperlink ping attribute is disabled

ghost avatar Aug 17 '24 02:08 ghost

cc @mkarolin to confirm it’s in 128

diracdeltas avatar Aug 19 '24 00:08 diracdeltas

@diracdeltas, I don't have access to the related upstream issue (https://crbug.com/1300021), but according to the feature status page (https://chromestatus.com/feature/5106143060033536) it's estimated to make it to dev trial only in cr129.

mkarolin avatar Aug 19 '24 00:08 mkarolin

@mkarolin @diracdeltas

Why not include the lan blocklist though from UBO and include it enabled by default?

ghost avatar Aug 20 '24 17:08 ghost

Brave disables Private Network Access, and also prevents requests to localhost: https://github.com/brave/adblock-lists/blob/master/brave-lists/brave-specific.txt. We had a separate feature for localhost request permissioning (enabled in Nightly) where an allowlisted website can issue a localhost request and the user would get a permission prompt, but the plan was to combine that with PNA at some point so we haven't rolled it out beyond Nightly.

Is there an actual attack demo page?

ShivanKaul avatar Aug 27 '24 17:08 ShivanKaul

Is there an actual attack demo page?

jah jah

ghost avatar Dec 22 '24 00:12 ghost