Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block access to 127.0.0.1/localhost and LAN address from the internet #4318

Closed
SARG04 opened this issue Dec 15, 2018 · 11 comments
Closed

Block access to 127.0.0.1/localhost and LAN address from the internet #4318

SARG04 opened this issue Dec 15, 2018 · 11 comments
Labels

Comments

@SARG04
Copy link

SARG04 commented Dec 15, 2018

Hello I suggest blocking all websites on the internet from accessing local resources (localhost/router IP) to prevent the easy exploitation of security vulnerabilitys.

There are many software packages which are running a web server on localhost and if they are not secure they can be attacked from any website. The last bigger issue of this kinde is "logitech Options"
https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

I use Dynamic filtering for some time to block all addresses relevant in my network:

* 127.0.0.1 * block
127.0.0.1 127.0.0.1 * allow
* localhost * block
localhost localhost * allow
* 192.168.0.1 * block
192.168.0.1 192.168.0.1 * allow
* speedport.ip * block
speedport.ip speedport.ip * allow
* 192.168.0.10 * block
192.168.0.10 192.168.0.10 * allow
.....

So I prevent other sites from interactions with servers which are running on my system or my router.

But there are some "legitimate" sites which are using access to a local server e.g. Intel Driver update:
https://www.intel.de/content/www/de/de/support/intel-driver-support-assistant.html

So Dynamic filtering is not the best for a general solution.
So a filter list with the possibility of overwriting some site would be better solution.

I don't know the syntax for filter lists sorry therefore no finished list.

I would suggest blocking external access to Private IP addresses and known router host names:
127.0.0.0/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

router host names (which work even if the user changes the router IP)
speedport.ip, congstar.box, fritz.box, routerlogin.com, routerlogin.net, samsung.router, easy.box, arcor.easybox

@mapx-
Copy link
Contributor

mapx- commented Dec 28, 2018

@gwarser What do you think about this request ?

@okiehsch
Copy link
Contributor

I suggest blocking all websites on the internet from accessing local resources (localhost/router IP)

I do not see how this is possible without also blocking the local access of the router via one's browser.

@gwarser
Copy link
Contributor

gwarser commented Dec 28, 2018

uBO does not support syntax for IP subnets. This will need to be regular expression filter.

!---------
! https://en.wikipedia.org/wiki/Private_network
/^https?://10(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
! http://gamon.webfactional.com/regexnumericrangegenerator/
! http://www.analyticsmarket.com/freetools/ipregex
! 172.16.0.0 – 172.31.255.255
/^https?://172\.(?:1[6-9]|2[0-9]|3[01])(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
/^https?://192\.168(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
!---------
! https://en.wikipedia.org/wiki/Localhost
/^https?://127(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
||::1^$third-party
||localhost^$third-party
!---------
||arcor.easybox^$third-party
||congstar.box^$third-party
||easy.box^$third-party
||fritz.box^$third-party
||hi.link^$third-party
||routerlogin.com^$third-party
||routerlogin.net^$third-party
||samsung.router^$third-party
||speedport.ip^$third-party

And IPv6, and more custom domains. And websockets?


And hope for browsers to normalize to https://en.wikipedia.org/wiki/Dot-decimal_notation and not binary/octa/hexa.


https://duckduckgo.com/?q=IP+range+regex&t=ffsb&ia=web


Userinfo: http://foobar@localhost:8080/


https://github.com/gwarser/filter-lists/blob/master/lan-block.txt can be enabled in uBO selection of filter lists.

@okiehsch
Copy link
Contributor

Would blocking third-party requests really prevent "websites on the internet from accessing local resources", which probably means a successfull DNS Rebinding Attack or some other hack has occurred?

@gwarser
Copy link
Contributor

gwarser commented Dec 28, 2018

Something can be accessed. I can include image from my 3g modem in webpages. Can be used for tracking/fingerprinting.

@uBlock-user
Copy link
Contributor

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

@js290
Copy link

js290 commented Mar 30, 2024

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

needle found: CVE-2024-2883

@gwarser
Copy link
Contributor

gwarser commented Mar 30, 2024

Blocked/restricted. Would "Block Outsider Intrusion into LAN" list prevent this?


It's related to https://en.wikipedia.org/wiki/ANGLE_(software)

@uBlock-user
Copy link
Contributor

uBlock-user commented Mar 30, 2024

needle found: CVE-2024-2883

Block via dynamic rules or use gwarser's list.

@gwarser
Copy link
Contributor

gwarser commented Apr 4, 2024

Related to Pwn2Own? I see a screenshot with local address in https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results (SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois)...), but it's just probably only the sample page.

https://www.ghacks.net/2024/04/04/another-google-chrome-0-day-vulnerability-fixed-update-asap/

@marek22k
Copy link

I would suggest to add IPv4 CGNAT 100.64.0.0/10 and IPv6 ULA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

7 participants