[Bug 280705] 0.0.0.0/32 is equivalent to 127.0.0.1/32, which may be considered a security flaw

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280705] 0.0.0.0/32 is equivalent to 127.0.0.1/32, which may be considered a security flaw"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280705] 0.0.0.0/32 is equivalent to 127.0.0.1/32, which may be considered a security flaw"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280705] 0.0.0.0/32 is equivalent to 127.0.0.1/32, which may be considered a security flaw"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 09 Aug 2024 14:27:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280705

            Bug ID: 280705
           Summary: 0.0.0.0/32 is equivalent to 127.0.0.1/32, which may be
                    considered a security flaw
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ltning-freebsd@anduin.net

Looking at
https://github.com/freebsd/freebsd-src/blob/872164f559d2637f8de30fcd9da46d9b43d24328/sys/netinet/in_pcb.c#L1312-L1331
and confirming by testing, any listening port, no matter which interface it is
on, will also accept connections on 0.0.0.0/32.

This has recently gained attention in the form of a "browser bug", where
network sandboxing can be evaded (and remotely-loaded javascript can talk to
any service running on the host).

The original code is from BSD4.3, and (guessing here) might be there because
someone didn't want to wait for the tape with the localhost interface code - or
was simply too lazy to type 127.0.0.1? :)

-- 
You are receiving this mail because:
You are the assignee for the bug.