Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective

Presented at ShmooCon 2022 Rescheduled, March 25, 2022, 11:30 a.m. (30 minutes)

From Adobe Reader to the Sonos One, vulnerability researchers hacked a jaw-dropping array of targets at this year’s Pwn2Own and TianFu Cup hacking contests. Amid the carnage, one conspicuous survivor remained un-pwned: Synology’s DiskStation Network Attached Storage (NAS) devices. As a sponsor of this year’s Pwn2Own, Synology doubled the bounty to $40000. However, while several participants successfully cracked the DiskStation DS418play in 2020, they failed to offer a working exploit for either the DS920+ or DS220J this year. Not for lack of trying–along with other aspiring participants, we discovered a handful of vulnerabilities but could not complete a remote exploit chain due to Synology’s defense-in-depth design.

We will present a technical analysis of Synology’s defensive coding techniques as observed in the latest DiskStation Manager (DSM) 7 operating system. We will demonstrate how these techniques prevented further exploitation of significant vulnerabilities and mitigated their impact. Along the way, we will update existing research about the proprietary findhostd protocol and DSM internals. Developers and defenders will take away practical lessons in secure coding and software design from Synology’s example. Finally, we will conclude with broader observations about the economics and strategy of hacking competitions.

We will open-source findhostd fuzzing templates.

Presenters:

• Loke Hui Yi
  Eugene Lim and Loke Hui Yi protect citizen data at the Government Technology Agency of Singapore. Eugene (@spaceraccoon) hacks for good–from Amazon to Zendesk, he has helped secure products globally. He recently reported remote code execution vulnerabilities in Microsoft Office and Apache OpenOffice. He discussed AI2 powered phishing at Black Hat USA and DEF CON in 2021. Hui Yi (@angelystor) is the technical lead for the product security assessment and vulnerability research team. Her claim to fame is becoming the 2nd hit on Google for “WinAFL fuzzing” and presenting on hunting application backdoors at Black Hat Asia in 2020.
• Eugene Lim
  Eugene Lim and Loke Hui Yi protect citizen data at the Government Technology Agency of Singapore. Eugene (@spaceraccoon) hacks for good–from Amazon to Zendesk, he has helped secure products globally. He recently reported remote code execution vulnerabilities in Microsoft Office and Apache OpenOffice. He discussed AI2 powered phishing at Black Hat USA and DEF CON in 2021. Hui Yi (@angelystor) is the technical lead for the product security assessment and vulnerability research team. Her claim to fame is becoming the 2nd hit on Google for “WinAFL fuzzing” and presenting on hunting application backdoors at Black Hat Asia in 2020.

Similar Presentations:

• May Contain Hackers (MCH2022) / Hacking the pandemic's most popular software: Zoom
• Black Hat USA 2019 / The Most Secure Browser? Pwning Chrome from 2016 to 2019