0.0.0.0 Day: Exploiting Localhost APIs From The Browser

All right, good afternoon everyone. Welcome. So I have our our next session ready to go. Uh I have Galaz ready and I will let him take it away. Thank you very much. Hi everyone. Uh thank you for attending this talk uh 0000 day uh exploiting private network through the browser and uh let's begin. So quickly about me uh I'm Gal. I'm the co-founder and CTO of Oligo Security. Uh been uh more than a decade in uh in security research attending exactly those conferences and talks. So really happy to be here. Um been uh starting my career at Checkpoint uh and uh hacking and breaking application for my living and now also protected them. But uh

we'll leave that aside. So um this is a super interesting story um that uh is actually a rolling story from from within the last year and we're going to go quickly over the agenda uh just for us to understand what we're going to see today. Uh first of all we're going to talk about the concept of client port scanning um and how it actually led to uh the PNA the private network access and from now on I'll use that as the PNA and uh we get into the internals of the 000000 day and how uh uh this magic actually uh applies and how um uh the past uh triyouts in history was not uh cutting to it. And of course uh like any

good talk we need to rce something. So we're going to demonstrate how uh we're going to uh chain this attack with a famous application uh in order to demonstrate um how it can be used in order to attack private application that today are considered safe and of course uh deep dive into how uh the different browsers uh dealt uh with the responsible disclosure and how uh the fixes apply. So uh without further ado uh let's start. So how many of you here uh have heard about CL client port scanning? And I'm not talking about scanning the internet. I'm talking about scanning your own uh I see not not a lot of faces but uh uh um I guess you'd be surprised

that probably all of you has been port scanned uh before uh who remember this uh uh weird uh uh I think uh it was Reddit or something that someone hey why is this website port scanning me and later on we found out it wasn't a script kitty it was literally eBay that port scan their visitors um it was a huge uh thing back then. Um and uh and what they basically did, we don't know if was it was for uh monetization or fingerprinting or security, but basically what you see in front of you is that they leverage the fact that uh they can just uh communicate with local host and start scanning uh all of their

visitors a local machine in order to identify who are they by scanning their ports, identifying which uh um applications running on this house. So um uh this made a lot of buzz and and this is exactly what PNA tries to solve and um this uh illustration from now on will help us to distinct between uh what is considered uh the public network the top level domain the com this is as especially from the uh uh PNA website which is one of the initiative uh made by Google and you can see how they distinct between what is public network versus you know your home or office network which is considered private and of course you as the local device

running uh within those networks. So um there are many ways to run servers right uh from the uh basic um uh uh 0000 uh that just binds on whole uh interfaces to the local host of course that can serve as the 127001 or just the string local itself. And we're going to talk about those uh two uh specifically. And um this story actually begins 18 actually it's been 19 years old already uh bug and uh it started with this uh lack of standard uh between the browsers themselves and each and everyone implemented their own security mechanism. Uh just I know it will make everyone in this room feel old but we're talking about the early days of the

internet. HTTPS wasn't exist by then. And there was a a really weird um um issue opened on on Mozilla uh Firefox that said, "Hey, um I think a website are trying to attack my uh h my router and like you know it was a weird thing but uh it grew a lot more." and he said, "Hey, it's literally trying to to attack uh my uh uh my home network. I think it's for like uh scanning internal stuff or fingerprinting. We should uh all h pay attention to those stuff. It's not part of the RFC and like something should be done." And um of course uh it was too late when he already said, "Hey, now

it's a literally an active campaign." Uh again we're talking about as you can see 19 years old ago but uh it was a great article by semantic which called drive by drive by farming and you can see it was simply that uh it was that easy just to uh make your uh home or router or office router to bind and do this DNS rebinding attack to to another address and and basically uh this attack went uh too successful. uh there were more than 300 erh erh home routers and office routers that were compromised and again back then I know you're all thinking self uh selfcertificate or or https but again back then those stuff did not

existed and this is why uh this attack actually went really successful and this actually led to start thinking about this problem and trying to solve it and this is where uh the uh the great initiative by uh the Mozilla Firefox guys started to map uh what is considered a much more private address. You can see the addresses in front of you and the sharp ones out of you can notice that something is actually missing. Um but we'll talk about it in a second. And of course it wasn't a bug, it was a feature, it was an enhancement. It's only 300,000 routers has been compromised, right? So this new enhancement basically uh suggested in order to uh block um uh from uh uh

website uh getting access to uh local private uh IPs and of course the uh 0000 itself uh was missed but they actually uh also notified that and decided to add the 0000 uh address as well. And uh you can see that in the end they really compiled the list of what is considered as private and we'll talk about h those initiative but this has started 18 years ago and still it's open and not fixed up until today and then um almost eight years ago uh Google stepped in and started creating what we all know today as the PNA but it was uh due to another cool hacking tricks happening in the internet. You probably all heard about

CSRF attacks and uh which led to the invention of course and the ability to restrict from the internet to the internet. So um this is the early days of Google trying to solve those problems and this is where they started working on uh this initiative. Uh you can see that back then it was still a community edition. So uh was it a real standard that others browsers may use? But uh they did started working on something much more global than just fixing their own problems. And of course uh it always leads to this fun game of hot potato and throwing responsibility from one another cuz then Firefox said, "Oh, cool. So now there's a standard to wait. So let's

wait for the standard to happen. We we don't want to fix stuff or change stuff and then the standard will be uh changed. So we will wait and we're not going to fix those issues until um private network access will be applied. So what is this private network access that we're talking about? what is basically allowed or disallowed and um this uh has started with Chromium that pioneered this and started rolling it out and uh again as I mentioned the aim back then was uh to protect from cross-sight uh request for Jerry Sus RF attacks but also again mentioning the same problems we talked about like targeting routers and other devices on the private network and they literally

admit that this attack affected hundreds of thousands of user. Uh so that was uh the goal of uh starting creating this standout and they even had an open issue for the 000000 and uh I guess we all think good it's it's didn't uh it didn't went undetected but um those stuff just sounds good and when you start actually rolling out it wasn't that easy. uh they broke a lot of the internet and a lot of website and that's why they decided to roll back and start to do it uh much more gradually. Um and when uh they started rolling it back they saw that uh again in defiance of the spec uh but it is seem uh pretty common. So they

decided to allow the 000000 cuz I guess vendors or users uh has been using this uh weird address. We'll see why and how it should be used. But um this led to the fact that uh a lot of the PNA stuff that we saw are blocked today in all model browsers besides uh this 000000 and and why and what is this weird address. Okay, let's let's talk about it. If you just Wikipedia that you'll see that this address have multiple uses. What does that mean? Right? And and when you deep dive into it like 000000 basically means again from the RFC this host on this network and basically it is actually uh a part of a

legitimate use uh in the DHCP handshake in the discovery before your uh endpoint actually gets an IP assigned to it. Uh it uses the 000000 at uh is uh address to begin with. Um but again um if you can see the RFC and like really written in red um this uh IP address should never be used as a destination address. Um and this is where um interesting stuff started to popping out and and and Google decided to create a counter and and see how many websites around the world actually use uh this uh weird IP address. And you can see that back then it was like 0.002% 002% uh but uh of course it grew out

immensely uh we're talking about uh more than 10x uh growing only in in in like I think a couple of years and let's say that uh I cannot uh fully uh again share the whole comments but uh um they mentioned that they seem that most of them are malicious websites and there wasn't really a real usage of using that uh beside attacking someone. So, uh with this huge increase um we thought that there's uh um a lot of uh discussion around it and and actually something really really cool here. You can see there's a uh another uh like you can see how it's going down from uh actually fixing it after we we disclosed all of that. But then there

was a a spike up a little bit after our Defcon talk. So I guess uh attackers do listen to defcon talks. Um and uh what was really intriguing in all of that is that um when you just think about it, it's that simple and stupid. But what you'll see on the left side like everything that the PNA should block, right, is those like local host or like those addresses and everything that is considered private. uh by design when you just communicate or you just you know send a packet to 000000 on your host basically logically you're bypassing all of that because this address does not exist and when you reach out to this address basically just

redirects it to the entire network interfaces running on this host. So it means by design the thing that we were thinking that we are blocking for the past 19 years are actually not blocked and are all enabled through the same simple address. All you need to do is just change the destination address instead of local host put 000000 and all of those attacks are revived again. So when we say everything uh we mean everything HTTP based. So um I guess there are developers in in the audience in here right uh we do uh again by design we are developers we are lazy right so we want to do stuff quick and efficient and just connect to the source

so a lot of us I guess are working with port forwarding directly with your kubernetes or your IDEs or everything that will just help you to kickstart fast um so those one are I think a big target of those stuff the developers themselves I think there's a huge movement regardless in the world about attacking developers. Uh when we started moving to the cloud, the developers themselves started holding uh most of the uh credentials to the cloud or credentials to the environment and that's why they became a big target. So it was really interesting for us to also scatter this uh of course operating system services. Uh we're talking about uh uh AirPlay or Caps or anything

running within your uh within your local uh um device and of course uh internal network access like VPN or uh anything that binds to um your local addresses like again DNS rebinding attacks. So um we decided to test this and we built a simple uh uh port scanner. Uh we built it in web assembly uh just because it's cool. There's no reason for that. It's uh the same JavaScript API in the browser that you can see. But uh uh what what we basically done and and by the way all of you can just uh uh go to the GitHub page and and download uh this uh port scanner and port scan yourself uh and see how it works. But what we

basically done is the ability to map which uh ports are opening or open and listening on each and every host and and and it was pretty simple. Um you can see the wire sharkark uh snippet from here and you can see that when we're scanning uh for for the ports if we're getting uh a connection refused it means this port uh does not exist but if we get some sort of an error code it mean it does right so we're starting uh uh to map all of the uh internal uh um uh ports of our own computers right and and then uh it really uh intrigued us like what is possible to do with that right so from

this classical uh uh DNS rebinding like if you'll try to do it on your local host you'll see it's going to get blocked but suddenly when you do it on the 000000 it works so a lot of the fundamental stuff that we uh thought uh we knew or again we thought uh that are already you know gone from the world uh sadly are not and this is where uh um I think uh we decided to start chaining it with something uh uh big that we found and done. So um the shadow ray story um uh it's actually the incentive and the whole motivation for the 000000 this is uh the first ever attack campaign in history attacking uh AI

workloads. Our team uh found this uh campaign and and disclosed it. Uh we're talking about a a campaign that started uh for uh more than a year and went undetected for almost a year. Uh this is uh basically the only uh existing example existing example of a real attack on AI infrastructure. We're talking about from Google they're doing lectures about a safe or unsafe implementation of Kubernetes to uh uh organization like MITER which started mapping uh techniques and attacking AI infrastructure. This is the only existing example of an AI attack and again let's start with the beginning. We are a fans of Ray. We use it oursel. This is an amazing framework uh made by

the Niscale guys. uh basically it's just uh Kubernetes for AI. Okay, it allows you to orchestrate your h jobs and and do it in a proper manner. You can see this is the facto the the ruling uh um framework. A lot of the biggest companies in the world uh uses ray and uh uh of course uh you cannot dismiss that but GPT uh 3.5 was trained on ray. So uh you can understand how uh industry standard this uh tool is and of course like any other AI framework that's been done by data engineers it's in Python and of course uh uh there was a lot of good intentions by the maintainers but uh something that uh we

saw along the lines uh was really intriguing for us. Uh it all started with uh five new vulnerabilities that were uh disclosed to the maintainers of Ray. uh the amazing any scale uh people and um of course we cannot uh uh uh you know I'm wearing my my other hat and of course they have their own reasons and they are the maintainers they can do whatever they want they maintain the code but they decided to dismiss uh uh and dispute uh five vulnerabilities specifically this one was an rce uh um that is again according to them um the intended behavior, right? You can understand this is like uh the intention of Ry to run jobs. Uh but as a security

expert when you see uh that uh you can literally run arbitrary commands uh without uh being authenticated and anyone from the network can do it. Uh your spidey sensor started to tinger say whoa like it's not the intended behavior. like I'm sure those guys didn't meant to allow the world to rce their clusters uh in that easy way. And you can see like the the vendor's claim of course like this is the intended behavior. Users should uh run it inside a controlled network. Again like every other framework that tries to to put the responsibility on the users. Users are not security experts. data engineers are even far more uh uh you know uh left from developers that might even have

this uh little bit of security perspective. But as you can see the uh maintainer position is that running jobs remotely is an intended behavior of the package. Cool. So you're telling me this is basically not a bug but a feature. Okay. So we decided to look around and um of course it's all start from that uh essence that we want users to uh adopt those tools fast. So we just want to give them the fastest easier way to just one click and start using Ray. And as part of it you can see that by designs it's run and listening uh and binds to the 000000 to accept all incoming connections. And um this of course uh uh

very risky behavior ended up being a real attack campaign uh that uh we saw only by ourself thousands of clusters. Just imagine each and every IP has a whole cluster behind of it. Each and every machine it's this pricey GPUs that again attackers uh were right about attacking this uh uh compute power which is so strong and so expensive and this is why it went so successful. So again we are talking about AI workloads right. So a lot of those AI production workloads are uh holds a lot of the uh the secrets and and the credentials to other environments or for example database credentials uh like posgress or even SSH keys that were on the machine.

Uh everything we're showing you it's uh uh actually an attack uh that we saw uh and how because basically Ry luckily for us and for everyone uh is um uh keeping a a an history list of each and every command that is running on ray. So we could actually extract the commands that the attackers did and from that start to follow their tracks. Uh we found 62 uh open AI tokens and we disclosed all of them. Uh we got zero bounty uh even though uh they say they they're bringing bounties. So I don't know you should check that hugging face token uh it wasn't that hugging face when we told them there were a lot that

been compromised and of course the supply chain angle is always risky when we're talking about those stuff. Select token. I don't need to explain to this room what it mean to uh uh breach a private communication channels in in big organization. And of course, Stripe, we could literally take money. And this is how crazy uh it was. And again, everything I'm showing you was all open to the public. Any one of you in this room could send one packet and run code and do whatever he wants on this huge uh uh environment. And of course, it is uh by design running in the cloud. So AWS keys and everything that would allow attacker to laterally

move. This is uh what we found and how it looked like uh from our angle. You can see the wget gets and the command and the reversal that has been triggered. Uh some of them were uh you know in a very stealthy way encrypting everything. Some of them were just you know blankly uh doing the reversal and and starting to move inside. Um the the the crazy thing I I think to us was like wow like um there are at least six or seven different crypto miner on each and every machine. We're like wow like we didn't know about this attack. the world didn't know about this attack. But attackers knew about each other, right? And it was

kind of funny cuz there was like kind of like war games if you all like the nerd of you like remember it from from the old assembly days when you're writing your own script to kill the others. So each and every one of them and I think the number one who won just elevated its privileges looked in memory for other crypto miners killed them in order to uh take down the entire resource of this h specific machine. And I think the number one um attacker here uh was fourth worldwide in the crypto mining pool. So um it was uh successful. Um and of course it it was hitting waves uh uh all over uh it was published over

Forbes and and and and a lot of other uh great places. And this is where um uh we were pretty shocked uh to see the the comments uh uh both from the security leaders we're talking to but also from the industry itself saying wow it's insane watch and hack and like yeah but it's behind the firewall in a w so like it's all good like we're protected and when we hear those stuff we're like wait what what about lateral movement? What about like it's so easy to just get one leg in a network and then laterally move. So like this is where like this whole idea and the whole motivation of like again instead of just trying to

educate just show I think it's the best way to educate and this is where decided hey like we know we've been those attackers we've been in the in the other side we know it's a lot easier to find a way one way to get in than trying to protect. So hey, let's come up with a new way uh that will allow us to to again uh change the mindset of of of the industry about uh whether uh an application uh is actually safe or considered safe uh if it's behind a firewall and a w and this really led to this uh uh that you see in front of you. Can we actually use the browser in order

to attack uh private internal applications? In the end, the browser serves a leg within your network, right? You're surfing and using it in inside your private organization. Uh helping it to map actually each and every uh um URL that you ever used to the worldwide web. It's another issue for itself. But uh all we needed to do and this was intriguing for us is just to dispatch one packet and we can completely take over those apps. uh and again ray or shadow ray was only one example what we wanted to convey and show that it can happen on so many different types but when we took a real example of a real attack I think it showed people that um

it is real so um in order to uh demonstrate the whole attack flow we started with a not so good fishing email right uh I guess LLM today would help me a lot more but the whole concept was not about doing a a full um email fishing campaign and the whole aspect was to show the simple uh example that we wanted uh uh to convey which is someone uses Ray uh a developer uh either on his local host private machine or uh just using port forwarding and then uh only by clicking or just uh uh accessing the the website uh uh what will happen is that our malicious JavaScript will uh just use this one HTTP post request

request in order to compromise uh the cluster. And in order to do that, all we need to do is just use the 000000 as the target IP address. And I know all of you might think, hey, it's a link. You need to click something. So again, just uh let's be honest today, it's not that hard to make someone surf to your website. You can infect people with ads. uh you can do uh a lot more uh tricky stuff that you think than again just writing a really cool fishing email with uh uh GPT but uh this is how it actually looked like uh behind the scenes. H you can see that uh our script basically running

with the mode no course and uh uh all he does is basically just sending this post uh packet to uh again this is the port that Ray is listening on by design the 8265 and um what actually happens is that we do that actually this uh serves as the same script you used earlier so you can try to RC yourself and um this is how it looked like um you can see on the left that there is like a uh red uh uh job that indicates that the request has been blocked. Right? Of course uh protection actually works but you can see the status code is 200 okay because we don't care about the request all we

cares about just dispatching this one packet to the private network and it allow us to completely take over the entire cluster. So um it is seems like a course error but uh on the second request hey it reaches the server. We started with just like dumping the credential and say hey echo exploited uh it works. Uh but again uh this is just one example and we of course weaponize it to a full rce uh and how we can run a reverse shell and and you can see uh uh how it looks like from from the different angle from the ray uh dashboard you can see that each and every time that uh we're just surfing

this website it will just initiate the attack again and again and you can see how many times it echo exploited um so in order to um uh to chain everything together. Um what we basically done here is just to demonstrate how we have an attacker which is uh presented on the internet uh is not uh connected to the private network on the local side. We're going to run ray uh like any other developer ray.init. This is how developers usually run it. Super easy and fast. And then you're going to see we're going to open the dashboard which binds to a local host. And now we can uh use ray. Um now on uh the other side

we're going to open the jobs just for you to see how our uh malicious job will be documented. On other side again not such a good fishing email but again this is not the point of the talk. You can see how we're listening on the attacker's angle and uh only by clicking uh again we're attacking oursel right uh on that you can see how uh we'll literally run uh reverse shell. So uh now is the time to uh do some applause for exploits. I know it's a video uh yeah but uh we are a little bit afraid of the demo gods. Uh but we urge you to go and uh check for yourself. Everything uh we did is open sourced uh just again

uh for sake of uh education and um it made a lot of buzz around the world. uh we don't know if it's just this uh again simple weird IP that everyone was intrigued in or just the fact that the tax uh uh graph was uh getting uh or the malicious website in the world as we saw we saw only from the deaf talk another additional 100,000 uh website that got added to the uh counter of the 0000 uh website and now uh we're getting to the interesting part of how uh the industry has dealt with it. So uh of course it worked on all of the browsers and I know usually in those conferences we're really used to bashing

Microsoft but actually here Microsoft did an amazing job and Microsoft is blocking this address on the OS level which mean it doesn't even connect to the browser and which means on that uh Mgel it will not work on Microsoft. So what everything we're doing is just for Linux and Mac. Uh and of course we're showing from Safari, Firefox and Chrome how uh this exploit works. And uh first of all was Safari and Apple that actually did uh an amazing job uh fixing that and they literally added another if statement to each and every HTTP packet on the globe. So I I'm not proud of it. I don't know adding another packet to each and another if statement to each and every

packet but you can see that it just checks if it contains only zeros and block it uh by design. Uh so it was uh uh been done on the webkit level. This is the engine that serves Safari. So actually Apple did an amazing job and were the one that actually fixed this issue. Chromium uh which are the pioneers of the PNA um actually are the one that we did the disclosure with and they have been amazing in in helping us and helping us helping them uh and they did uh started working um on uh new features to PNA. You can see our report and how uh they did uh mention all of the stuff that we just discussed that this uh of

course address can uh be used in order to bypass uh most of the PNA protection as we know it. Uh this again can also be abused as we mentioned in reviving DNS rebiding attack or not reviving I guess they're working for 20 years and we just didn't know. And of course uh the ability to attack application through the local host. Um and uh of course uh uh it uh also serves uh as a way for them to to measure those stuff. So from uh the ability to see how there is a growing number of website that are maliciously using it uh and uh there in their own words uh those malware leveraging this attack to uh

specifically attack developers as we mentioned I don't know if was it was only our example or the fact that they know something that we don't uh but they did a great job on trying to uh to walk it through uh but h when uh they and and I think they disclosed that and fixed it and they even gave us a bounty but it was breaking a lot of website again so they rolled it back so right now it's not uh protected over Chrome and of course Mozilla uh they are an open source and they are uh still waiting for PNA to be a a standard and this is why um again I think the the the biggest

thing that u we made here is to finally really make those uh browsers maintainer talk to each other not from tickets and this is where they understood they need to uh solve it in a deeper level. So um in order to do that they went uh down and I think this was a a Mozilla idea and I think it's uh what will actually solve this problem in the end but go down to the fetch level. Fetch is basically the standard uh in the internet of how HTTP works. Uh so by going down to this level and changing it on the fetch level all of the browser have to uh uh use that uh and in order

uh for them to support the the fetch in in a proper way and by that block the 0000 uh zero on uh the fetch level meaning it could not even dispatch uh this type of uh packet and uh when we talking about the the future of PNA or uh the protection of of those browsers so um uh the work that now is been done uh in the industry is to head those PNA HTTP headers uh two uh open source projects and um also uh what we just showed the 0000 will be blocked uh in all browsers uh in the fetch level as we demonstrated like we hope right they started working on it but it didn't really fully wrote out and

of course uh uh our uh I think a main agenda for this talk is that um you should secure your local host and and local uh doesn't mean safe and and even though uh we have this false sense of safety that uh applications are um protected behind the firewall and w our main recommendation is that hey don't trust those stuff add authentication or authorization or any type of mechanism that can add another uh step of mitigation to your apps I think uh Uh even a great example is the Jupiter uh uh Jupyter notebooks. I think they even just print to the screen uh like a generate a token that you can either use and not even going all the way to

implement course or or or you know add authentication in the right manner. We do again recommend to add all of those layers on each and every web app you're running internally. Um, and uh, of course, just to finish with a cool uh, uh, bonus thing. Uh, I don't know if uh, anyone in here knows all of this um, internet scanner uh, port scanner on the internet which you can just put an IP address or and just scan the internet. And you can see from your left that um when we're trying to use the local host 100 27001 uh you can see it says uh invalid domain invalid IP cannot use it. But if you use

000000 you actually make the port scanner port themsel and you can see how uh all of the open ports on the machine that literally does that is working. So I think this is the best testament of how this thing went undetected for years. Um so uh we're coming to the conclusion and uh we have couple of minutes again also for Q&A. Um and I'm right on time as as I can see but uh I just wanted to mention that uh that was just one example. This is just the tip of the iceberg when me talking about those attacks. uh stuff like a certificate transparency. Uh I don't know if you know but your uh browser

actually maps your entire uh private uh infrastructure. You can actually go and we all in the west world are using Google as our uh trusted authority for certificate. But if you just go and look for your own company domain and you'll probably start to see a lot of subdomains that been mapped around the world. Uh and again this really helps attacker to attackers to redirect their attacks to a specific subdomain uh that might say hey this is the ray cluster and it would allow attackers like us to to uh do it in a lot easier way. Plus uh ray was only one example. we we actually improved and show uh different various type of applications from seleniums to

ids to even uh really lately uh MCP servers they're all listening and using uh 000000 as the way to bind uh so of course we disclosed and notified all of it but I think it's also a call to action to the community uh to raise awareness to start thinking about those stuff when you are running stuff locally or just you know running services listening on your host don't expect them to actually stay local or safe. So, uh without further ado, uh thank you very much for attending this talk. Uh it is a true pleasure to be here in Besides. Uh if you have any questions, uh afterwards, you can look at me at X Twitter, whatever Elan will

call it tomorrow morning and I would be very happy to answer anything. So, thank you very much. All right. Thanks everyone.