Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration

🗓️ 08 Jan 2018 00:00:00Reported by Steve KaunType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 127 Views

Synology DiskStation Manager (DSM) before 6.1.3-15152 'forget_passwd.cgi' User Enumeration via Unspecified Vector

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Synology DiskStation Manager (DSM) < 6.1.3-15152 - forget_passwd.cgi User Enumeration
8 Jan 201800:00
zdt
ATTACKERKB		CVE-2017-9554
24 Jul 201700:00
attackerkb
Circl		CVE-2017-9554
21 May 202021:48
circl
CNVD		Synology DiskStation Manager (DSM) Information Disclosure Vulnerability
25 Jul 201700:00
cnvd
CVE		CVE-2017-9554
24 Jul 201720:00
cve
Cvelist		CVE-2017-9554
24 Jul 201720:00
cvelist
exploitpack		Synology DiskStation Manager (DSM) 6.1.3-15152 - forget_passwd.cgi User Enumeration
8 Jan 201800:00
exploitpack
Metasploit		Synology Forget Password User Enumeration Scanner
21 May 202012:10
metasploit
NVD		CVE-2017-9554
24 Jul 201720:29
nvd
OpenVAS		Synology DiskStation Manager (DSM) Multiple Vulnerabilities (Synology-SA-17:29) - Active Check
31 Jul 201800:00
openvas
Rows per page
# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration 
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554

Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi

Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.


"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."

Well then... Here you go, cracked the code and figured it out.

https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX

Where XXX should be your injection point for username lists.

Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2018 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 25
CVSS 35.3
EPSS0.57867
synology diskstation managerforget_passwd.cgiuser enumerationunspecified vectorsinformation exposure vulnerabilitycve-2017-9554remote attackersusername enumeration
127