Research

TLDR; TPEditor v1.96 does not perform bound checking when copying “boot page” (.sta) file content to memory. The finding can be exploited to gain arbitrary code execution upon file opening.  [ZDI Link] This bug was a bit interesting. VirtualAlloc() is used to allocate memory and returns a pointer to an allocation. However, we can trigger a […]

Recently our CVE-2021-29084 went public [ZDI Link]. We thought it would be fun to share our disclosure notes. The Synology DS418play NAS contained an unauthenticated accessible endpoint vulnerable to HTTP header injection. Due to nginx’s configuration, the X-Accel-Redirect header can be used download files which are shared via SMB. Note the finding requires knowledge of […]

The Synology DS418play NAS  contained an unauthenticated endpoint which can be leveraged to delete arbitrary files. The exploit can be used to bypass account login throttling by deleting a database file containing banned IP addresses. The finding could potentially lead to soft bricking the device too, such as by deleting system files. The unauthenticated OTP admin […]

Education & designing secure software through hardened frameworks is the best way to mitigate security breaches. Security is not only a business decision, but also a moral decision. Always seek advice from an experienced security professional.