Talk Title:

Exploiting a Blind Format String Vulnerability in Modern IoT Devices: A Pwn2Own 2024 Case Study

Abstract:

This talk presents an in-depth case study on the discovery and exploitation of a blind format string vulnerability during Pwn2Own Ireland 2024, targeting the Synology TC500 IP camera. Despite security mechanisms in place such as ASLR, PIE and Full RELRO, we demonstrate how precise exploitation techniques can leverage format string primitives to bypass these defenses and achieve arbitrary code execution.

The presentation will begin with an overview of the Synology TC500 architecture and security features, followed by a firmware extraction and emulation setup. The core focus will be on identifying and exploiting the blind format string flaw, overcoming constraints such as input length limitations and character filtering to craft a reliable exploit.

Attendees will gain insight into exploitation methodologies for constrained environments and practical tips for improving the security of IoT devices. This case study serves as an example of how creativity can help circumvent complex problems in modern embedded systems.

Speaker Bio:

Creased is a Binary exploitation and security research at Synacktiv