Synology BeeStation Flaw Chain Leads to Root RCE Via Novel "Dirty File Write" SQL Injection, PoC Available

In a display of vulnerability chaining, security researcher Kiddo has released a detailed write-up demonstrating how three distinct flaws can be combined to fully compromise Synology BeeStation devices. Originally presented at Pwn2Own 2024, the exploit allows an attacker with zero prior credentials to achieve root privileges on the target system.

The research highlights a sophisticated “Dirty File Write” technique that bypasses standard web shell methods by weaponizing the system’s own task scheduler.

The exploit relies on a sequence of three CVEs, moving from a minor information leak to total system takeover. According to Kiddo, “The exploit chain comprises three distinct vulnerabilities that allow an unauthenticated attacker to achieve root privileges.”

CVE-2024-50629 (CRLF Injection): The entry point used to leak internal system data.
CVE-2024-50630 (Improper Authentication): A logic flaw used to bypass login requirements.
CVE-2024-50631 (SQL Injection): The final hammer blow used to execute remote code.

Step 1: The Leak (CRLF Injection)

The attack begins with a Pre-Auth information disclosure. The researcher discovered that the redirect_url parameter in the authentication API failed to sanitize input, allowing for CRLF injection.

“By appending %0d%0a to the redirect_url parameter, I could inject arbitrary HTTP headers into the server response,” the report explains.

By injecting the X-Accel-Redirect header—a feature of the Nginx server used by BeeStation—the attacker could force the server to read internal files. The target? The cloud-workerd.log file, which conveniently records home directory paths during initialization, exposing the valid system username (e.g., kiddo.pwn).

Step 2: The “Friendly Neighbor” Bypass

With a valid username in hand, the attacker targets the syncd daemon. This component listens on two channels: a Unix Domain Socket (for local browser requests) and a TCP port.

The vulnerability lies in a logic error where syncd implicitly trusts local requests. “The interesting oversight is that the authenticate method does not seem to check the presence of the password parameter before forwarding the request,” Kiddo writes.

By stripping the password field from the request, the system defaults to a logic path intended for trusted local domain sockets. This tricks the system into issuing a valid access_token based solely on the username stolen in Step 1.

Step 3: The “Dirty” SQL Injection

Now authenticated, the attacker accesses the update_settings command, which was vulnerable to SQL Injection. Typically, an attacker would use this to write a PHP web shell. However, the BeeStation does not include a PHP interpreter, necessitating a creative pivot.

The researcher used the SQL ATTACH DATABASE command to create a file in the system’s cron directory (/etc/cron.d/). The challenge was that SQLite database files contain binary “garbage” headers that would normally break a text-based config file like a crontab.

The solution relied on the fault tolerance of the cron daemon: “Surprisingly… the cron daemon will simply ignore malformed lines and continue down the file to locate valid lines.”

By wrapping a malicious bash command in newlines within the SQL query, the researcher successfully created a valid cron job amidst the binary noise. “When cron parses this file, it discards the SQLite binary headers as invalid line and executes only the valid crontab line—giving us a root reverse shell.”

Combining all three vulnerabilities, security researcher built a complete exploit chain. The PoC demonstrates full unauthenticated RCE on affected BeeStation devices.

Synology has addressed these vulnerabilities in the latest DSM and BeeStation updates.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply