0.0.0.0 Day

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
linuxrocks123
Moonbather
Moonbather
Posts: 51
Joined: 2015-12-14, 07:57
Location: Moon Base Alpha

0.0.0.0 Day

Unread post by linuxrocks123 » 2024-08-08, 17:24

I wanted to ask if this recently disclosed vulnerability affects the Linux or MacOS builds of Pale Moon.

https://www.oligo.security/blog/0-0-0-0 ... he-browser

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 746
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: 0.0.0.0 Day

Unread post by RealityRipple » 2024-08-08, 17:43

Not recently discovered. It's been a known "non-private" private address bypass for almost 20 years. And I'm not sure I'd call it a bug so much as an exploitable misclassification. It's also a kind of bad *NIX network design leftover that they re-interpret 0.0.0.0 as localhost, effectively bypassing the TCP binding of the server. But yes, the fetch() request will need to be updated to match the spec change.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36285
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 0.0.0.0 Day

Unread post by Moonchild » 2024-08-08, 18:42

Spec proposal isn't merged yet, but if this is a known issue that should be addressed because of a *NIX networking oddity then I'm all for it.
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 746
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: 0.0.0.0 Day

Unread post by RealityRipple » 2024-08-09, 04:48

Not sure, but I think it should just be a matter of checking for '0.0.0.0' in nsDNSService2's PreprocessHostname() function, same as the optionally-blocked .onion URLs.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36285
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 0.0.0.0 Day

Unread post by Moonchild » 2024-08-09, 10:34

That sounds like a simple solution. I don't really see a reason for legitimate traffic to ever connect to 0.0.0.0 in normal use, anyway. If it's as simple as I think then I can roll this into 33.3.0 -- as it is the first release candidate was in need of changes anyway ;P
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36285
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 0.0.0.0 Day

Unread post by Moonchild » 2024-08-09, 14:15

Pretty painless. See Issue #2554 (UXP). Meaning we'll be ahead of the curve again on something sec related ;P
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2921
Joined: 2012-06-28, 01:20

Re: 0.0.0.0 Day

Unread post by ron_1 » 2024-08-09, 23:01

Is there anything us users can do to mitigate this while waiting for 33.3.0?

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 746
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: 0.0.0.0 Day

Unread post by RealityRipple » 2024-08-10, 00:18

If you don't have any software that runs a local webserver, you're OK.
If you use Windows, you're OK.

Otherwise...

Use HTTPS versions of websites wherever possible.
Don't enable mixed content.
Make any local servers only accessible from the exact local IP on your preferred network(s); don't listen on the localhost or 127.0.0.1 addresses, if the option is there.

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2921
Joined: 2012-06-28, 01:20

Re: 0.0.0.0 Day

Unread post by ron_1 » 2024-08-10, 12:58

On another forum I found this:
You need to open Filter lists tab in the uBlock dashboard and enable and load Block Outsider Intrusion list under Privacy section.
https://forums.linuxmint.com/viewtopic.php?t=426815
uBo for Pale Moon doesn't have this, and I look around the internet for a way to manually add this, but no luck. Does anyone have any info on this?

User avatar
andyprough
Keeps coming back
Keeps coming back
Posts: 857
Joined: 2020-05-31, 04:33

Re: 0.0.0.0 Day

Unread post by andyprough » 2024-08-11, 05:43

ron_1 wrote:
2024-08-10, 12:58
On another forum I found this:
You need to open Filter lists tab in the uBlock dashboard and enable and load Block Outsider Intrusion list under Privacy section.
https://forums.linuxmint.com/viewtopic.php?t=426815
uBo for Pale Moon doesn't have this, and I look around the internet for a way to manually add this, but no luck. Does anyone have any info on this?
We have a long thread on this forum on implementing Block Outsider Intrusion into LAN: viewtopic.php?f=19&t=29982
Seems to work most clearly with the eMatrix extension for Pale Moon: https://addons.palemoon.org/addon/ematrix/

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2921
Joined: 2012-06-28, 01:20

Re: 0.0.0.0 Day

Unread post by ron_1 » 2024-08-11, 13:53

andyprough wrote:
2024-08-11, 05:43
We have a long thread on this forum on implementing Block Outsider Intrusion into LAN
Thank you. I missed that thread.

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2921
Joined: 2012-06-28, 01:20

Re: 0.0.0.0 Day

Unread post by ron_1 » 2024-08-11, 18:09

The other thread is locked, so I'll post this here. On my uBo for Block Outsider Intrusion into LAN I'm getting only 7 used out of 7. In the locked thread, others were reporting getting 40 something used out of 62. I'm wondering why my number is so low? (But at least all 7 are used, I guess.)

Post Reply