search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.92k stars 2.34k forks source link

Block outside access to localhost #40399

Open Earthw0rmJ1m opened 3 months ago

Earthw0rmJ1m commented 3 months ago

Platforms

all

Description

0.0.0.0 Day

This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.

Links: https://vulcan.io/blog/0-0-0-0-day https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

Brave adblock lists

(lan-block is not included)

Could the lan-block be included with brave-sheilds list and enabled by default till chrome patches it in Chromium 128

Chrome is blocking access to 0.0.0.0 (Finch Rollout) starting with Chromium 128. Google will gradually roll out this change over the next few releases, completing it by Chrome 133, at which point the IP address will be blocked completely to all Chrome and Chromium users.

Martin-K24 commented 3 months ago

Isn't this already disabled or related to this issue or no?

Services & Features We Disable Entirely

https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#services--features-we-disable-entirely

Hyperlink ping attribute is disabled

diracdeltas commented 3 months ago

cc @mkarolin to confirm it’s in 128

mkarolin commented 3 months ago

@diracdeltas, I don't have access to the related upstream issue (https://crbug.com/1300021), but according to the feature status page (https://chromestatus.com/feature/5106143060033536) it's estimated to make it to dev trial only in cr129.

Earthw0rmJ1m commented 2 months ago

@mkarolin @diracdeltas

Why not include the lan blocklist though from UBO and include it enabled by default?

ShivanKaul commented 2 months ago

Brave disables Private Network Access, and also prevents requests to localhost: https://github.com/brave/adblock-lists/blob/master/brave-lists/brave-specific.txt. We had a separate feature for localhost request permissioning (enabled in Nightly) where an allowlisted website can issue a localhost request and the user would get a permission prompt, but the plan was to combine that with PNA at some point so we haven't rolled it out beyond Nightly.

Is there an actual attack demo page?