A Journey into Synology NAS — Part 1: Introduction to Synology NAS

8 min readFeb 5, 2023

Preface

Nowadays, Synology NAS is undoubtedly an appealing target. However, there are limited public information available about the security of Synology NAS. Previously, I spent some time researching Synology NAS and discovered some security issues. My research was even selected for presentation at the POC2019 and HITB2021AMS security conferences. In this series of articles , I will elaborate on previous findings and discussions from my talks entitled "Bug Hunting in Synology NAS" and "A Journey into Synology NAS" . I hope this will be helpful for those interested in Synology NAS.

The purpose of this series of articles is to describe some basic information about Synology NAS, the mechanisms related to request processing, common attack surfaces, and some actual security issues found. The goal is to give the reader a general understanding of Synology NAS, and know how to perform a security analysis on the device, instead of focusing on the details of exploiting a specific vulnerability.

It will be divided into the following parts:

Introduction to Synology NAS
Analysis of custom services, including findhostd and iscsi_snapshot_comm_core
Analysis of the HTTP request processing flow and common attack surfaces

Introduction to Synology NAS

NAS (Network Attached Storage), is a storage device connected to a network that allows storage and retrieval of data from a central location for authorized network users and varied clients. NAS is like having a private cloud in the office. It’s faster, less expensive and provides all the benefits of a public cloud on site, giving you complete control.

Synology is a Taiwanese corporation that specializes in network-attached storage (NAS) appliances, and was considered as a “longtime leader in the small-business and home NAS arena”. Synology’s line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models.

In addition, Synology also provides the DiskStation Manager (DSM) operating system for its NAS. It’s a Linux-based operating system with an intuitive web interface that provides rich features, including file sharing, file synchronization, data backup and so on, to provide better flexibility and availability in every aspect.

Environment Setup

After gaining a basic understanding of Synology NAS, we need a target device for research and testing. Currently, there are two common approaches as follows.

purchase a Synology NAS device directly, known as “white Synology”. It is fully functional and relatively easy to configure and use.”
assemble a device by yourself, or purchase a NAS device from another manufacturer and install the Synology DSM system, known as “black Synology,” which has most of the features and is sufficient for testing purposes

In addition to the above two methods, the community also provides another way, which is to create a Synology virtual machine. This method is more suitable for testing purposes, such as testing different DSM versions, hence we will mainly introduce this method.

It’s only for the purpose of security research, if there is actual use needs, it is recommended to purchase the official Synology NAS device.

Installing DSM 6.2.1

To create a Synology virtual machine, two main files are required.

the official PAT file provided by the Synology vendor
a UEFI or BIOS loader

Currently, the community provides various loaders for different NAS models and DSM versions. The latest loader version is compatible with DSM 6.2.1. It’s suggested to choose the NAS model and DSM version that matches the loader during installation. It turned out that the loader for the DS918 series supports upgrading to DSM 6.2.3. That is, we can first install DSM 6.2.1 and then manually upgrade to DSM 6.2.3.

We can refer to this to see if the loader can be upgraded and if the upgrade is successful.

Take VMware Workspace as an example, to create a Synology virtual machine, we need to load the synoboot bootloader first, then install the corresponding DSM. Since the format of doenloaded bootloader file is in img format, we can convert it into vmdk format as follows.

# convert via qemu-img command
$ qemu-img convert -f raw -O vmdk synoboot.img synoboot.vmdk

Then create the VMware virtual machine normally using the vmdk file converted earlier. When select the disk type, we should choose SATA type, because selecting SCSI type may cause the subsequent boot unrecognized or failed. After creation, add additional disks for data storage. After starting the virtual machine, install and configure it through the Web Assistant or Synology Assistant, and you will then be able to successfully access the NAS virtual machine through a browser.

Synology Assistant is an easy-to-use tool for managing Synology NAS in the local area network (LAN), especially when you have multiple machines working within the LAN. With Synology Assistant, you can share printers, set up Wake on LAN (WOL), and configure network drives.

After that, the DSM version can be upgraded to DSM 6.2.3 through manual update. As mentioned earlier, this method only applies to version DSM 6.2.3. The latest version of DSM, including DSM 6.2.4 and DSM 7.0, can’t be installed through this method. However, based on the newly created NAS virtual machine, we can install DSM 6.2.4 or DSM 7.0 virtual machine using Synology’s Virtual Machine Manager package.

Installing DSM6.2.4/DSM 7.0

The Virtual Machine Manager (VMM) package, is an intuitive hypervisor software, allowing to easily create, run, and manage multiple virtual machines on Synology NAS, of course, including the virtual DSM from Synology.

In short, we can first create a virtual machine with DSM 6.2.3 version, and then within that virtual machine, use the Virtual Machine Manager package to install one or more virtual DSM. During installing virtual DSM, it’s important to ensure that the corresponding storage format is Brtfs, which can be achieved by adding an extra big hard disk (such as 40GB or above), and selecting SHR(Brtfs) when adding storage space.

It should be noted that only one free license is provided in a Virtual Machine Manager, if multiple virtual DSM are installed, they cannot be started at the same time. The trick here is to switch between virtual instances, which is sufficient for testing.

In this series of articles, we mainly focus on DSM 6.1/DSM 6.2 versions.

Installing DSM 7.x

Previously, those loaders were provided by Jun, but haven’t been updated in recent years. As to DSM 7.x versions, there is a new loader called TinyCore RedPill (TCRP) loader available. Using this loader, it is possible to create a DSM 7.x Synology virtual machine directly. Using the TinyCore Redpill loader may require custom modifications and compilation to obtain the corresponding loader image, which may be tedious. Fortunately, there is an open sourced compiler tool called arpl available, which can compile loader automatically, thus making the compilation and installation of DSM7.x easy.

DSM Online Demo

Synology also provides an official virtual DSM for online experience. Of course, we can perform security analysis and testing based on this environment. However, there may be some restrictions such as inability to use SSH to access the shell, or other considerations.

Installing Diagnosis Tool

The SSH service is available on the Synology NAS, which can be used to access the Linux shell after enabled. In addition, there is a package called Diagnosis Tool available, which contains many utility tools like gdb and gdbserver, making it easy to debug programs. Usually, the package can be searched and installed through the Package Center. If the package can't be found in the Package Center, we can install it by running shell command synogear install, as follows.

$ sudo -i
$ synogear install

Device Fingerprinting

In general, Synology NAS is mainly used in remote access scenarios, and the only entry point in this case is through 5000/http (5001/https). We can try to find devices exposed on the public network via engine such as Shodan, as shown below. As can be seen, only a few ports are accessible.

To get a basic understanding of the target device information, such as its DSM version, installed packages and corresponding versions, a more detailed device fingerprint is needed. By analyzing the index page, clues can be found. Specifically, there are some CSS links in the index page indicating installed built-in modules and third-party packages. Also, there are some NAS-specific script links. Based on this information, some queries can be constructed to find Synology NAS devices accurately.

Port: 5000/5001     # default port
Shodan query: html:"SYNO.Core.Desktop.SessionData"

Moreover, the v parameter in each link represents the last modification time, or the timestamp of the build. For example, the timestamp 1589235146 can be converted to the time 2020-05-12 06:12:26. By searching for the release time of each DSM version in the Synology archive repository, it can be deduced the DSM version may be 6.2.3-25426. Similarly, the version of the AudioStation package can be inferred to 6.5.6-3377.

webapi/entry.cgi?api=SYNO.Core.Desktop.SessionData&version=1&method=getjs&SynoToken=&v=1589235146

At the same time, there are some requests sent when accessing the index page by default. The response to the request "/webapi/entry.cgi?api=SYNO.Core.Desktop.Defs&version=1&method=getjs&v=1589235146" may contain model information, as shown in the example below. According to upnpmodelname and unique field, the device model can be determined as VirtualDSM.

_SYNOINFODEF = {
    "support_ebox": "yes",
    /* ... */
    "upnpmodelname": "DS1517",
    /* ... */
    "unique": "synology_alpine_ds1517",
    /* ... */
    "synobios": "ds1517",
    /* ... */
};

By accessing the URL "http://<host>:<port>/ssdp/desc-DSM-eth0.xml", if successful, we can obtain more accurate information including device's specific model, version, serial number, etc. It should be noted that for some devices with multiple network adapters, such as the DS1517, accessing /ssdp/desc-DSM-eth0.xml may prompt a "page not found" error, as the device's eth0 network port is not connected. In this case, we can try changing eth0 to eth1, eth2, or eth3, etc. and try again.

Typically, engines like Shodan only probe the default page under http://<host>:<port>/, and don't detect the secondary page.

<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>VirtualDSM (VirtualDSM)</friendlyName>
<manufacturer>Synology</manufacturer>
<manufacturerURL>http://www.synology.com</manufacturerURL>
<modelDescription>Synology NAS</modelDescription>
<modelName>VirtualDSM</modelName>
<modelNumber>VirtualDSM 6.2-25556</modelNumber>
<modelURL>http://www.synology.com</modelURL>
<modelType>NAS</modelType>
<serialNumber>xxxxxx</serialNumber>
<UDN>xxxxxx</UDN>

Past Security News and Researches

In the past few years, there have been some security news related to Synology NAS.

In GeekPwn 2018, the DS115j model was hacked. The player got the root privilege on the device with a buffer overflow vulnerability.
In Pwn2Own Tokyo 2020, another model ds418play was hacked again by two teams (STARLabs team, DEVCORE team), both of them got a root shell on the device successfully.

Additionally, some security researchers have analyzed Synology NAS devices before.

Summary

We first give a simple introduction to Synology NAS, then provide methods for setting up a Synology NAS environment. At the same time, a simple discussion of device fingerprinting is given, and some security events/research related to Synology NAS are introduced. The goal is to give the reader a general understanding of Synology NAS.