FlagThis

Abstract

This talk details the discovery and exploitation of a critical zero-day vulnerability in Synology DiskStation Manager (DSM). The researcher demonstrates how unauthenticated attackers can bypass input delimiters in the login portal to inject arbitrary environment variables into root-owned processes. By chaining this primitive with a novel use of the Linux dynamic linker's debugging features (`LD_DEBUG` and `LD_DEBUG_OUTPUT`), the attacker can achieve arbitrary file writes to system directories, ultimately leveraging the `cron` daemon to gain full remote root code execution (RCE).