Compass Security Blog

Offensive Defense

A Patchdiffing Journey – TP-Link Omada

Last year we participated in the Pwn2Own 2023 Toronto competition and successfully exploited the Synology BC500 camera. The DEVCORE Internship Program team managed to exploit a bug in the TP-Link Omada Gigabit VPN Router. So I was naturally curious and wanted to figure out how difficult it would be to recreate that exploit having access only to a high-level bug description and the firmware.

Continue reading

Pwn2Own Toronto 2023: Part 5 – The Exploit

In this final part of this series, we are finally going to explain how the stack-based buffer overflow vulnerability can be exploited to gain unauthenticated remote code execution (RCE) on the Synology BC500 camera.

Continue reading

Pwn2Own Toronto 2023: Part 4 – Memory Corruption Analysis

In this fourth part of the series, we analyze the memory corruption identified previously and manage to overwrite the program pointer!

Continue reading

Pwn2Own Toronto 2023: Part 3 – Exploration

In this third part of the series, we focus on the exposed web services running on TCP ports 80 and 443.

Since a valid exploit chain must achieve code execution without prior authentication, we focus on the available functionality that can be accessed without authentication.

Continue reading

Pwn2Own Toronto 2023: Part 2 – Exploring the Attack Surface

In this second blog post of the series, we start with the reconnaissance phase on the camera, a crucial step in understanding our target.

The aim here is to gather information about the target and identify potential vulnerabilities.

Continue reading

Pwn2Own Toronto 2023: Part 1 – How it all started

Around a year ago a few Compass analysts watched a talk at the Insomni’Hack conference about the Pwn2Own contest.

This is when they decided to take part! In this blog post, they talk about how they picked their target, got the firmware from the camera, and got into the shell.

Continue reading