Security Researcher Presents Zero-Day Vulnerability in Synology NAS Devices

🎬 Ryan Emmens, a security researcher at Rapid7, presents a zero-day vulnerability discovered in Synology NAS devices, which was exploited during the Pwn2Own Ireland contest in 2023 to win a prize of $40,000. The unauthenticated vulnerability targets the proprietary Synology DSM operating system (Linux-based), used by approximately 1 million publicly exposed devices. The attack exploits a delimiter injection in environment variables during the login process via the DSM web API, allowing the writing of arbitrary files with partial control over the content. By combining LD_DEBUG and LD_DEBUG_OUTPUT, the exploit bypasses restrictions to inject a malicious cron job, triggering remote code execution (RCE) as root. The demonstration shows a reverse shell obtained by copy-pasting a payload into the username field of the login form. The tools used include BPFtrace, inotify, and extensions like VueDevTools to bypass client-side encryption. The vulnerability affects the default configurations of Synology devices, particularly the DS124 and Beast Station models.