DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks

Presented at DEF CON 33 (2025), Aug. 8, 2025, 2 p.m. (45 minutes).

Network Attached Storage (NAS) devices are indispensable in many corporate and home environments. These devices often live on the network edge, providing convenient remote access to confidential files and internal networks from the public internet. What happens when this goes terribly wrong? In this presentation, I’ll discuss how I developed a zero-day exploit targeting dozens of Synology NAS products. At the time of discovery, the exploit facilitated unauthenticated root-level remote code execution on millions of NAS devices in the default configuration. My exploitation strategy centered around smuggling different types of delimiters that targeted multiple software components. In the past, exploitation of the vulnerability’s bug class demanded additional primitives that weren’t available on my targets. While searching for alternative paths, I discovered a novel remote Linux exploitation technique. I’ll be presenting this technique, which can be used in other researchers’ exploit chains in the future. For the first time in public, I’ll also be discussing the details of my Synology vulnerability research, which won a $40,000 prize at the October 2024 Pwn2Own competition. References: I referenced these previous Synology offensive publications during my research: - [link](https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition) - [link](https://devco.re/blog/2022/03/28/your-NAS-is-not-your-NAS-en/)

Presenters:

• Ryan Emmons
  Ryan Emmons is a Security Researcher on the Emergent Threat Response team at Rapid7. His work centers around n-day analysis of new vulnerabilities and zero-day research, primarily focused on network edge devices. Ryan enjoys attacking hardened targets and finding interesting bugs. He has disclosed vulnerabilities to major vendors like Oracle and Microsoft, and he recently competed at the 2024 Pwn2Own Ireland competition, where he won a $40,000 prize. In addition to vulnerability research, Ryan likes to participate in CTF competitions and compose music.

Similar Presentations:

• DEF CON 31 (2023) / A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS
• ToorCon San Diego 20 (2018) / Yet Another IoT Hack: A demonstration of discovering and exploiting security vulnerabilities in the TerraMaster F2-420 NAS
• ShmooCon 2022 Rescheduled / Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective