Full Report
Pwn2Own is a hacking competition with fairly large prizes. In 2023, no compromises of the Synology DiskStation had been found. So, they decided to add a few non-default but first-party packages to the scope. Packages are add-ons for the device that can be installed. One of the services they analyzed was the Replication Service. It has very high privileged and easy communication from the outside world. The service listens on port 5566 for the synobtrfsreplicad. The service is just a forking server that continually accepts connections from a remote client. Each request takes a cmd, sequence, length and a complete data section. If the length of the data is larger than 0x10000 then an error is returned on the cmd receiving function. However, there is a case of bad error handling here. The code returns the error value from a previous function call instead of setting it to a real error. This leads to the error being ignored! Directly after the error verification is a null byte write into a buffer based upon the len of the packet. This creates a relative write to anywhere in the buffer but only with a nullbyte. This really does look like a CTF challenge! The device has all mitigations enabled so this was going to be trippy. To break ASLR, they abused two key points: this is a fork-server that reuses the same address space on each process and a crash in the program didn't have any affect on the rest of the service. Instead of brute forcing it straight up, they do some crazy pointer shenanigans to create useful oracles for leaking the offsets. This part is worth a read :) Using the primitive from before, they are able to corrupt a heap pointer in the .bss section. Since they control this address and can force it to be freed, they are able to corrupt this chunk to perform tcache poisoning techniques. Now, they can add arbitrary contents to the tcache, giving them an arbitrary write primitive. With the arbitrary write, they wrote a pointer to the GOT entry for delete to be system. When the call to delete is made with the controlled pointer for delete, it executes the bash command. This gives them RCE on the box! The patch was simply to return 1 instead of returning 0. Nice!
Analysis Summary
# Vulnerability: Remote Code Execution in Synology Replication Service via Null-Byte Write
## CVE Details
- **CVE ID:** CVE-2024-10442
- **CVSS Score:** 10.0 (Critical - *per ZDI-25-208*)
- **CWE:** CWE-252 (Unchecked Return Value) / CWE-193 (Off-by-one Error)
## Affected Systems
- **Products:** Synology DiskStation Manager (DSM)
- **Versions:** Affected versions prior to the November 2024 security updates.
- **Configurations:** Systems with the **Replication Service** package installed (often installed as a dependency for *Virtual Machine Manager* or *Snapshot Replication*).
## Vulnerability Description
The flaw exists within the `synobtrfsreplicad` service, which listens by default on TCP port 5566. The service uses a custom binary protocol to process commands.
In the `recvCmd` function, the service validates the length of incoming data packets. If a packet length exceeds `0x10000` bytes, the function is intended to return an error. However, due to a coding error, it returns an uninitialized or previous successful `err` value (0) instead of a non-zero error code. This causes the service to continue processing the invalid packet.
Immediately following this check, the service performs a null-byte write: `g_cmd.data[g_cmd.header.len] = 0`. Because the length check was bypassed, an attacker can provide an arbitrary length value to achieve a **relative null-byte write** outside the intended buffer boundaries.
## Exploitation
- **Status:** PoC available (exploited successfully at Pwn2Own Ireland 2024).
- **Complexity:** High (Requires bypassing ASLR via pointer oracles and performing Tcache poisoning).
- **Attack Vector:** Network (Remote).
- **Mechanism:**
1. **ASLR Bypass:** Exploits the fact that `synobtrfsreplicad` is a forking server (reusing memory layout) to create an "oracle" that leaks address offsets by observing crash behavior.
2. **Tcache Poisoning:** Uses the null-byte write to corrupt a heap pointer in the `.bss` section, leading to an arbitrary write primitive via the glibc Tcache.
3. **RCE:** Overwrites a Global Offset Table (GOT) entry (e.g., `delete`) with the address of `system()`.
## Impact
- **Confidentiality:** Total (Full access to files and system data).
- **Integrity:** Total (Attacker gains root-level execution).
- **Availability:** Total (Attacker can crash or wipe the device).
## Remediation
### Patches
- **Synology Replication Service:** Update to version 1.3.3-0453, 1.2.3-0253, or later as per Synology Advisory SA_24_22.
- **DSM:** Ensure DiskStation Manager is updated to the latest available version to receive package dependencies.
### Workarounds
- **Strict Firewalling:** Restrict access to TCP port 5566 to trusted IP addresses only.
- **Disable Service:** If Replication Service or Snapshot Replication is not required, uninstall the package via the Package Center.
## Detection
- **Indicators of Compromise:** Unusual child process crashes in `synobtrfsreplicad` or unexpected outgoing network connections from the NAS.
- **Detection Methods:** Monitor for large volumes of connection attempts to port 5566, which may indicate an ASLR brute-force/oracle attack.
## References
- **Vendor Advisory:** [https://www.synology.com/en-global/security/advisory/Synology_SA_24_22](https://www.synology.com/en-global/security/advisory/Synology_SA_24_22)
- **ZDI Advisory:** [https://www.zerodayinitiative.com/advisories/ZDI-25-208/](https://www.zerodayinitiative.com/advisories/ZDI-25-208/)
- **Exploit Analysis:** [https://blog.ret2.io/2025/04/23/pwn2own-soho-2024-diskstation/](https://blog.ret2.io/2025/04/23/pwn2own-soho-2024-diskstation/)