Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux.

It seems they're saying if you have a service listening to localhost (private), Chrome is supposed to not resolve 0.0.0.0 (public) to localhost, yet it currently does so.

So seems to me they're solving a security bug. But if I got this right, it's surprising how it got like that in the first place, doesn't make sense in any scenario I can think of to resolve 0.0.0.0 to localhost? Why would a browser try to resolve 0.0.0.0 to anything in the first place?



RFC 3330 says you can use it as a source address for "this" host on "this" network, and that 0.0.0.0/8 can be used for other addresses on "this" network.

https://www.rfc-editor.org/rfc/rfc3330


Interesting. I'd use 192.168.0.0/16 or 10.0.0.0/8 for that, and haven't found a reason yet not to. Using "0.0.0.0" for anything signals something like "I'm not sure what I want to bind it to, just bind to everything available", at least to me.


It's not a valid machine address. It's a shortcut that, for example, if you are in the 10.0.0.0/8 network, you can use 0.0.0.1 to refer to 10.0.0.1.


How come this doesn't work on my Fedora Linux PC? If I try to ping 0.0.0.1 it just tries to ping 0.0.0.1 which doesn't respond as it doesn't exist.


Are you /8?


Nope, /24.


Well, this was a surprise to me too, but apparently Linux does this:

   $ ping 0.0.0.0
   PING 0.0.0.0 (127.0.0.1) 56(84) bytes of data.
   64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms
   64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.056 ms
   64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.105 ms
   ...

   $ nc 0.0.0.0 22  
   SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
   ...


ping 0 works too. Kinda fun.


Fun fact, ping 0 works because 0 is the IP decimal notation of 0.0.0.0. One of my favorite age-old WAF bypass since it doesn't match octet notation regexes that are often in place.


'0.0.0.0' means 'all local host addresses'. Including whatever might be listening on 127.0.0.0/8.

It's just a private network address, and this "vulnerability" is because idiots adhere to the letter of the spec maliciously instead of understanding current practice.


Wait, so you're suggesting developers shouldn't adhere to specs but instead develop their tools / libraries according to whatever they feel it is the cool kids currently do?


Yes, I do. You should be following de-facto real world standards, not fantasy ones. Especially if security is involved.


If there are de facto real world standards, why not write them down?


Ask the guys writing the RFC's, not me. Boggles my mind too.


Have you considered replacing/creating/updating RFCs/BCPs relevant to your field?


i fail to see much difference with:

>>develop their tools / libraries according to whatever they feel it is the cool kids currently do?<<

versus:

>>adhere to the letter of the spec maliciously instead of understanding current practice.<<


This behavior has existed since at least the 1990s on various platforms. Pretty sure I first saw it in SunOS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: