Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1

This research describes a WAN-to-LAN exploit chain against TP-Link ER605 routers discovered at Pwn2Own Toronto 2023: a Comexe DDNS protocol authentication weakness, a stack-based overflow in cmxddnsd permitting RCE, and an out-of-bounds read used to bypass ASLR. The authors demonstrate achieving remote root on the router, opening firewall rules and proxying to pivot to a Synology BC500 IP camera, and note that vendors (TP-Link and Synology) released firmware fixes.