cbcvebase.
CVE-2018-6849
published 2018-04-01

CVE-2018-6849: In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com)…

PriorityP338medium4.3CVSS 3.0
AVNACLPRNUIRSUCLINAN
EXPLOIT
EPSS
30.14%
98.0th percentile
In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.

Affected

1 ranges
VendorProductVersion rangeFixed in
duckduckgoduckduckgo

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://ip.voidsec.com
domainstun.services.mozilla.com
  • Detect WebRTC STUN requests originating from a browser that expose private/RFC1918 IP addresses — the exploit triggers a STUN binding request to stun.services.mozilla.com to leak the LAN IP.
  • Monitor for HTTP POST requests sent back to the attacker's server containing a raw IP address string (no form fields, just the IP in the body) — this is how the Metasploit module exfiltrates the leaked LAN IP.
  • Look for JavaScript in served pages that creates an RTCPeerConnection with a bogus data channel (createDataChannel("")) and calls createOffer/setLocalDescription to trigger ICE candidate gathering without user interaction — a hallmark of the IP-leak technique.
  • Detect pages that parse ICE candidate lines for IP addresses using the regex pattern matching both IPv4 and IPv6 — indicative of the webrtc-ips harvesting code.
  • The Metasploit auxiliary module browser_lanipleak.rb serves a GET response with the exploit HTML and collects leaked IPs via POST — network defenders should alert on the Metasploit module path in HTTP server logs.
  • ·The exploit specifically targets DuckDuckGo browser version 4.2.0; other browsers may also be affected by the underlying WebRTC IP-leak behaviour but are not named in this CVE.
  • ·The STUN server used in the Metasploit PoC (stun.services.mozilla.com) is a legitimate Mozilla service; blocking it network-wide may break legitimate WebRTC functionality. Detections should be scoped to the full exploit chain (bogus data channel + POST exfil) rather than STUN traffic alone.

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.