tags:pwn2owniotstack_overflow original link: Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2 newsletter link: exploits.club Weekly Newsletter 30


Exploits Club Summary:

Last week, we covered the first entry in the blog series discussing Claroty Team82’s SOHO smash-up exploit chain at Pwn2Own 2023 Toronto. This week, the team released a follow-up post walking through the vulnerability and exploit for the Synology BC500 IP camera. Specifically, the team identified a parsing bug in one of the web-interface’s C/C++ based CGI executables, which was reachable via an HTTP endpoint. The vulnerability itself was a stack-based buffer overflow resulting from a sscanf call. The write-up then dives into exploiting this bug, starting with brute forcing ASLR, explaining the target function pointer to overwrite, and then discussing the challenges associated with building the exploit payload itself.