Dear Diary – Its barely 2018 and skeletons are a plenty…

Excited to see how this Spectre and Meltdown patch madness will pan out, $10 says an engineer somewhere finger flubs something, then the debugger doesn’t catch it and pushes to production distribution.

Meanwhile, still waiting on meaningful exploit code beyond telling me that I’m either vulnerable or not.

In other news, will be trying to post more here. Life is hard, but add in blog stuff on top of that, work and family and you probably have a better idea of my life than I do myself.

Expect more content, I have tons written up for consuming, but need to sort through all the garbage that is my internal monologue dictating narration in them.

That and the non-stop quest to not rehash or regurgitate others works. Once its been done, there is no other point to doing it.

Discovery and the unknown are my two favorite friends, meanwhile chaos and curiosity continue to be my low key friends. We’ll explore all the closets I’ve encountered (minus NDA ones), and hopefully provide something of value to the next person.

Unless you call yourself someone’s “right hand person”, you can stop right there…

CVE-2017-9554 – Synology DSM User Enumeration – Unspecified Vector… Yea Right…

Previously this was identified by the developer and the disclosure states “via unspecified vectors” it is possible to enumerate usernames via forget_passwd.cgi

Haven’t identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.

CVE-2017-9554
Per the CVE:
“An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.”
Well then… Here you go, cracked the code and figured it out.
https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX
Where XXX should be your injection point for username lists.
Several usernames I’ve found are admin, administrator, root, nobody, ftp, and more. I’m unsure of whether Synology is pulling these entries from it’s passwd file or not, but there you go.
***Update***
This is now published within ExploitDB

https://www.exploit-db.com/exploits/43455/