CVE-2018-6849
published 2018-04-01CVE-2018-6849: In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com)…
PriorityP338medium4.3CVSS 3.0
AVNACLPRNUIRSUCLINAN
EXPLOIT
EPSS
30.14%
98.0th percentile
In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| duckduckgo | duckduckgo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect WebRTC STUN requests originating from a browser that expose private/RFC1918 IP addresses — the exploit triggers a STUN binding request to stun.services.mozilla.com to leak the LAN IP. ↗
- →Monitor for HTTP POST requests sent back to the attacker's server containing a raw IP address string (no form fields, just the IP in the body) — this is how the Metasploit module exfiltrates the leaked LAN IP. ↗
- →Look for JavaScript in served pages that creates an RTCPeerConnection with a bogus data channel (createDataChannel("")) and calls createOffer/setLocalDescription to trigger ICE candidate gathering without user interaction — a hallmark of the IP-leak technique. ↗
- →Detect pages that parse ICE candidate lines for IP addresses using the regex pattern matching both IPv4 and IPv6 — indicative of the webrtc-ips harvesting code. ↗
- →The Metasploit auxiliary module browser_lanipleak.rb serves a GET response with the exploit HTML and collects leaked IPs via POST — network defenders should alert on the Metasploit module path in HTTP server logs. ↗
- ·The exploit specifically targets DuckDuckGo browser version 4.2.0; other browsers may also be affected by the underlying WebRTC IP-leak behaviour but are not named in this CVE. ↗
- ·The STUN server used in the Metasploit PoC (stun.services.mozilla.com) is a legitimate Mozilla service; blocking it network-wide may break legitimate WebRTC functionality. Detections should be scoped to the full exploit chain (bogus data channel + POST exfil) rather than STUN traffic alone. ↗
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebRTC - Private IP Leakage (Metasploit)
exploitdb·2018-04-05
CVE-2018-6849 WebRTC - Private IP Leakage (Metasploit)
WebRTC - Private IP Leakage (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Private IP Leakage to WebPage using WebRTC Function.",
'Description' => %q(
This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.
),
'License' => MSF_LICENSE,
'Author' => [
'Brendan Coles', #MSF Module
'Dhiraj Mishra' #MSF Module
],
'References' => [
[ 'CVE', '2018-6849' ],
['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
],
'DisclosureDate' => 'Jan 26 2018',
'Acti
Metasploit
HTTP Client LAN IP Address Gather
metasploit
HTTP Client LAN IP Address Gather
HTTP Client LAN IP Address Gather
This module retrieves a browser's network interface IP addresses using WebRTC.
No writeups or analysis indexed.
https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.htmlhttps://github.com/rapid7/metasploit-framework/pull/9538https://news.ycombinator.com/item?id=16699270https://voidsec.com/vpn-leak/https://www.exploit-db.com/exploits/44403/https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.htmlhttps://github.com/rapid7/metasploit-framework/pull/9538https://news.ycombinator.com/item?id=16699270https://voidsec.com/vpn-leak/https://www.exploit-db.com/exploits/44403/
2018-04-01
Published