DEF CON

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon

Ryan Emmens presented at DEF CON 33 a case study on discovering and weaponising an unauthenticated vulnerability in Synology’s DiskStation Manager (DSM) operating system, culminating in a $40,000 Pwn2Own win. By instrumenting the login flow with eBPF tracing and inotify, he uncovered a chain of three CGI‑based processes that write attacker‑controlled data to transient files and inject it as environment variables for a privileged root process. This allowed remote code execution without prior authentication or man‑in‑the‑middle positioning. The research also highlighted Synology’s custom client‑side RSA/AES encryption that obscures login credentials, and demonstrated how Vue.js developer extensions can force the web UI into a debuggable state, bypassing the encryption hurdle and enabling payload injection. With roughly one million public‑facing NAS units, the flaw presents a massive attack surface; organizations must update DSM, disable unnecessary web services, and monitor for anomalous process activity to mitigate the risk of lateral compromise.