Block access to 127.0.0.1/localhost and LAN address from the internet

[SARG04]

Hello I suggest blocking all websites on the internet from accessing local resources (localhost/router IP) to prevent the easy exploitation of security vulnerabilitys.

There are many software packages which are running a web server on localhost and if they are not secure they can be attacked from any website. The last bigger issue of this kinde is "logitech Options"
https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

I use Dynamic filtering for some time to block all addresses relevant in my network:

* 127.0.0.1 * block
127.0.0.1 127.0.0.1 * allow
* localhost * block
localhost localhost * allow
* 192.168.0.1 * block
192.168.0.1 192.168.0.1 * allow
* speedport.ip * block
speedport.ip speedport.ip * allow
* 192.168.0.10 * block
192.168.0.10 192.168.0.10 * allow
.....

So I prevent other sites from interactions with servers which are running on my system or my router.

But there are some "legitimate" sites which are using access to a local server e.g. Intel Driver update:
https://www.intel.de/content/www/de/de/support/intel-driver-support-assistant.html

So Dynamic filtering is not the best for a general solution.
So a filter list with the possibility of overwriting some site would be better solution.

I don't know the syntax for filter lists sorry therefore no finished list.

I would suggest blocking external access to Private IP addresses and known router host names:
127.0.0.0/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

router host names (which work even if the user changes the router IP)
speedport.ip, congstar.box, fritz.box, routerlogin.com, routerlogin.net, samsung.router, easy.box, arcor.easybox

[mapx-]

@gwarser What do you think about this request ?

[okiehsch]

I suggest blocking all websites on the internet from accessing local resources (localhost/router IP)

I do not see how this is possible without also blocking the local access of the router via one's browser.

uBO does not support syntax for IP subnets. This will need to be regular expression filter.

!---------
! https://en.wikipedia.org/wiki/Private_network
/^https?://10(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
! http://gamon.webfactional.com/regexnumericrangegenerator/
! http://www.analyticsmarket.com/freetools/ipregex
! 172.16.0.0 – 172.31.255.255
/^https?://172\.(?:1[6-9]|2[0-9]|3[01])(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
/^https?://192\.168(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
!---------
! https://en.wikipedia.org/wiki/Localhost
/^https?://127(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
||::1^$third-party
||localhost^$third-party
!---------
||arcor.easybox^$third-party
||congstar.box^$third-party
||easy.box^$third-party
||fritz.box^$third-party
||hi.link^$third-party
||routerlogin.com^$third-party
||routerlogin.net^$third-party
||samsung.router^$third-party
||speedport.ip^$third-party

And IPv6, and more custom domains. And websockets?

---

And hope for browsers to normalize to https://en.wikipedia.org/wiki/Dot-decimal_notation and not binary/octa/hexa.

---

https://duckduckgo.com/?q=IP+range+regex&t=ffsb&ia=web

---

Userinfo: http://foobar@localhost:8080/

---

https://github.com/gwarser/filter-lists/blob/master/lan-block.txt can be enabled in uBO selection of filter lists.

[okiehsch]

Would blocking third-party requests really prevent "websites on the internet from accessing local resources", which probably means a successfull DNS Rebinding Attack or some other hack has occurred?

Something can be accessed. I can include image from my 3g modem in webpages. Can be used for tracking/fingerprinting.

[uBlock-user]

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

[js290]

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

needle found: CVE-2024-2883

Blocked/restricted. Would "Block Outsider Intrusion into LAN" list prevent this?

---

It's related to https://en.wikipedia.org/wiki/ANGLE_(software)

[uBlock-user]

needle found: CVE-2024-2883

Block via dynamic rules or use gwarser's list.

Related to Pwn2Own? I see a screenshot with local address in https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results (SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois)...), but it's just probably only the sample page.

https://www.ghacks.net/2024/04/04/another-google-chrome-0-day-vulnerability-fixed-update-asap/