Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration - exploit.company
header-logo
Suggest Exploit
vendor:
DiskStation Manager (DSM)
by:
Steve Kaun
5.3
CVSS
MEDIUM
User Enumeration
200
CWE
Product Name: DiskStation Manager (DSM)
Affected Version From: Before 6.1.3-15152
Affected Version To: 6.1.3-15152
Patch Exists: YES
Related CWE: CVE-2017-9554
CPE: a:synology:diskstation_manager
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2018

Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. This can be done by sending a request to the forget_passwd.cgi page with a username as a parameter.

Mitigation:

Upgrade to the latest version of Synology DiskStation Manager (DSM) 6.1.3-15152 or later.
Source

Exploit-DB raw data:

# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration 
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554

Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi

Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.


"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."

Well then... Here you go, cracked the code and figured it out.

https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX

Where XXX should be your injection point for username lists.

Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.

Navigation

Suggest Exploit

Services By CQR

cqrsecured