Tuesday, March 6, 2018

New Domain, Same Quality TLDR Posts

Figure I might try to dip my toe in the water when it comes to the whole domain and website thing. Additionally, I'm thinking of hosting some obscure game servers at some point in the future to play a quick round with bots, or with the crew back in the office for a LAN party we randomly spin up.

Come along and join the adventure I'd like to call "How expensive can this get?".

Get ready to take a dip and a spin into the world of cloud based hosting.
This should be fun, also HTTPS everywhere.
https://thegh0stship.com

Monday, January 8, 2018

Dear Diary - Its barely 2018 and skeletons are a plenty...




Excited to see how this Spectre and Meltdown patch madness will pan out, $10 says an engineer somewhere finger flubs something, then the debugger doesn't catch it and pushes to production distribution.

Meanwhile, still waiting on meaningful exploit code beyond telling me that I'm either vulnerable or not.

In other news, will be trying to post more here. Life is hard, but add in blog stuff on top of that, work and family and you probably have a better idea of my life than I do myself.

Expect more content, I have tons written up for consuming, but need to sort through all the garbage that is my internal monologue dictating narration in them.

That and the non-stop quest to not rehash or regurgitate others works. Once its been done, there is no other point to doing it.

Discovery and the unknown are my two favorite friends, meanwhile chaos and curiosity continue to be my low key friends. We'll explore all the closets I've encountered (minus NDA ones), and hopefully provide something of value to the next person.

Unless you call yourself someone's "right hand person", you can stop right there...

Friday, January 5, 2018

CVE-2017-9554 - Synology DSM User Enumeration - Unspecified Vector... Yea Right...

Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi

Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.

CVE-2017-9554

Per the CVE:

"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."

Well then... Here you go, cracked the code and figured it out.

https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX

Where XXX should be your injection point for username lists.

Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.

***Update***

This is now published within ExploitDB

https://www.exploit-db.com/exploits/43455/