Full Report
Pwn2Own is a prestigious hacking competition for various devices. This entry was for the Synology TC500 camera running ARM 32-bit. The authors found a format string vulnerability in a custom print_debug_msg function that was passing inputs into vsnprintf. Since the format string was in a debug log, it was blind. Additionally, ASLR, NX, Full RELRO, and PIE were all enabled on this device. On top of this, the payload was restricted to 128 bytes and could not contain nullbytes or characters lower than 0x1F. Format string vulnerabilities are ridiculously powerful. The specifiers allow for reading and writing to arbitrary spots in memory if you know what you're doing. Initially, they used the vulnerability to edit a pointer to a looping variable to be somewhere else on the stack via a single-byte write of the pointer. This variable was then being written to with our input. In practice, we could edit the location some data was going to be written to with relative bytes, giving an effective relative out-of-bounds write primitive. Once they had an arbitrary write on the stack, they needed to build a ROP chain. In the vulnerable function, they used the unused stack space. Using the format string specifier %*X$c, it's possible to read a value on the stack from a specific offset. This value is then stored in an internal character counter. Using the %Y$c will increase the count further by the value we control. Since the first value can be from the stack and we control the second one, we can effectively bypass ASLR and PIE! Once the values are set, %Z$n can be used to write the value onto the stack. Using this over and over again gave them a solid ROP chain to eventually call system(). To hijack the control flow, the same relative write trick could be used to overwrite the return address on the stack to point to the ROP chain. Modern binary protections are not enough for security with capable folks like the ones at synacktiv. An awesome post on their exploit path for this. It's sad that this was patched before the competition :(
Analysis Summary
# Vulnerability: Blind Format String Exploitation in Synology Cameras
## CVE Details
- **CVE ID:** Not explicitly listed in the article (Note: This was a pre-competition discovery patched in version 1.1.3-0442).
- **CVSS Score:** N/A (Estimated Critical/High)
- **CWE:** CWE-134: Use of Externally-Controlled Format String
## Affected Systems
- **Products:** Synology TC500 and BC500 Security Cameras.
- **Versions:** Vulnerable from version `1.1.1-0383` up to (but not including) `1.1.3-0442`.
- **Configurations:** Devices running ARM 32-bit architecture with debug logging enabled (triggered via specific HTTP request parsing).
## Vulnerability Description
The flaw exists within the `print_debug_msg` function, which handles debug logging for the camera’s web service. The function passes an uncontrolled, attacker-supplied string (derived from the HTTP request URI/hostname) as the format argument to `mg_snprintf` (a wrapper for `vsnprintf`).
The vulnerability is "blind" because the output of the format string is written to an internal debug buffer rather than returned to the attacker. Despite modern exploit mitigations including **ASLR, NX, Full RELRO, and PIE**, the lack of bounds checking on the format specifiers allows for arbitrary memory reads and writes.
## Exploitation
- **Status:** PoC developed by Synacktiv; Patched prior to Pwn2Own Ireland 2024.
- **Complexity:** High (Requires bypassing multiple modern protections and operating in a blind context with a 128-byte payload limit).
- **Attack Vector:** Network (Remote via HTTP requests).
- **Constraint Factors:**
- Payload size limit: 128 bytes.
- Character restrictions: No null bytes (`0x00`) or characters below `0x1F`.
- No direct memory leaks available to the attacker.
## Impact
- **Confidentiality:** High (Ability to read stack memory and bypass ASLR/PIE).
- **Integrity:** High (Arbitrary write primitives allow for ROP chain construction and control flow hijacking).
- **Availability:** High (Potential for remote code execution leading to full system compromise).
## Remediation
### Patches
- **Synology Firmware Version 1.1.3-0442:** Users should update to this version or newer to resolve the flaw.
### Workarounds
- No specific software workarounds were provided; however, restricting network access to the camera's management interface is a standard best practice.
## Detection
- **Indicators of Compromise:** Unusual HTTP requests containing repeated format string specifiers (e.g., `%c`, `%n`, `%*X$c`, `%Z$n`).
- **Detection Methods:** Monitor web server logs for crashes in the `mg_vsnprintf` or `print_debug_msg` functions, which may indicate failed exploitation attempts.
## References
- **Vendor Advisory:** hXXps[:]//www[.]synology[.]com/en-global/releaseNote/TC500#1[.]1[.]3-0442
- **Synacktiv Technical Analysis:** hXXps[:]//www[.]synacktiv[.]com/en/publications/exploiting-a-blind-format-string-vulnerability-in-modern-binaries-a-case-study-from