Emanuele Barbeno Relatore
Emanuele has 10 years of experience working in the area of IT security and he is an IT Security Analyst at Compass Security since 2019. As part of Compass Security's offensive security team, Emanuele conducts security analysis of web applications, external and internal networks, cloud infrastructures, as well as Android applications. Emanuele has responsibly disclosed vulnerabilities in different open source libraries and products, among others in products from Microsoft, Alibaba and others and is also responsible for giving various security-related trainings at Compass Security such as web application security and internal network with focus on the Active Directory security.
Lista Talk
- Now I See You: Pwning the Synology BC500 Camera "Compass Security participated in the Pwn2Own 2023 contest held in Toronto, focusing on the Synology BC500 IP camera within the Surveillance Systems category. Our team successfully discovered various vulnerabilities, including one for which we wrote an unauthenticated Remote Code Execution (RCE) exploit. We'll begin the talk by explaining the analysis we performed on the physical device. We'll showcase the discovered debugging interfaces and outline how we analyzed the authentication mechanism and gained shell access as root. This was the first step required for starting the vulnerability discovery process. In the next section we'll explain the weaknesses we discovered during our investigation and we'll talk about the exploitation of the unauthenticated RCE, highlighting unique challenges introduced by the Pwn2Own competition, such as stringent time constraints and collision concerns, which may not necessarily affect real-world attackers. Finally, we will describe the development process we used to write the proof of concept of the exploit. We'll talk about various challenges we encountered and design choices we made to ensure the creation of a robust and reliable exploit." - 15:00/15:45, 07 Jun 2025