Neodyme’s Blog

Lenovo DCC: Part 2 - Trusted IPC and a Malicious Firmware Update

Alain — Tue, 24 Mar 2026 00:00:00 GMT

The [Lenovo Display Control Center](https://support.lenovo.com/de/de/downloads/ds547223-lenovo-display-control-center-thinkcolor), commonly deployed in Windows enterprise environments, could be used for local privilege escalation. In the first part of this series, we have presented two ways how to gain local administrative access. In this post, we dive into IPC communication and how to exploit trusted IPC communication from a low privileged service process to get admin privileges in a different way.

Drone Hacking Part 1: Dumping Firmware and Bruteforcing ECC

Tim,Thomas — Mon, 05 Jan 2026 00:00:00 GMT

Desoldering a drone's flash chip and reconstructing the firmware from broken data.

Diving into the depths of Widevine L3

Felipe — Thu, 23 Oct 2025 00:00:00 GMT

This post explores various approaches to attacking Widevine L3, a DRM system commonly used by streaming services. We analyzed the Android library and instrumented it dynamically to extract the keybox before finally deobfuscating it.

Pwn2Own Ireland 2024: QNAP Qhora-322

Benjamin — Tue, 21 Oct 2025 00:00:00 GMT

In 2024, we competed as team Neodyme in the Pwn2Own Ireland contest, targeting the "SOHO Smashup" category and all available printers. For our entry, we focused on the QNAP QHora-322 router, successfully exploiting it to pivot into the Canon imageCLASS MF656Cdw printer. This post details the vulnerabilities we discovered, our methodology (from working with a factory-sealed router to achieving remote access via the WAN port without authentication) and how we ultimately compromised the connected printer.

Lenovo DCC: Part 1 - A simple ACL Exploit

Alain — Wed, 01 Oct 2025 00:00:00 GMT

The Lenovo Display Control Center (DCC), widely deployed in Windows enterprise environments, contained a critical local privilege escalation vulnerability enabling unauthorized elevation to administrative privileges. This post examines the Lenovo DCC architecture, analyzes underlying security flaws through IDA Pro and ProcMon analysis, and presents two distinct exploitation methodologies for achieving local administrative access: a race condition-based approach and a junction path exploitation technique.

Building Our Own Post-Quantum FIDO Token

Ruben — Tue, 16 Sep 2025 00:00:00 GMT

We have built our own FIDO2 token based on post-quantum crypto. Here is how.

Did You Train on My Voice? Exploring Privacy Risks in ASR

Karla — Wed, 02 Jul 2025 00:00:00 GMT

This post explores a recent research paper on membership inference attacks targeting Automatic Speech Recognition (ASR) models. It breaks down how subtle signals like input perturbation and model loss can reveal whether a voice recording was used during training, helping to check for privacy and compliance concerns. For cybersecurity professionals, we highlight why machine learning models should be treated as potential attack surfaces.

Your router might be a security nightmare: Tales from Pwn2Own Toronto 2022

Felipe,Marius — Fri, 06 Jun 2025 00:00:00 GMT

Three years ago, Neodyme took aim the "SOHO Smashup" category at Pwn2Own Toronto 2022, targeting a Netgear RAX30 router and an HP M479fdw printer. We successfully gained remote code execution on both devices, pivoting from the router to the printer. In this post, we dive into the technical details of our router exploitation journey, resulting in reliable code execution via a MAC address lookup service.

Riverguard: Mutation Rules for Finding Vulnerabilities

Sebastian,Thomas — Wed, 28 May 2025 00:00:00 GMT

Riverguard, the first line of defense for all Solana contracts

Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw

Alain,Kolja — Thu, 22 May 2025 00:00:00 GMT

This blogpost starts a series about various exploits at Pwn2Own 2024 Ireland (Cork). This and the upcoming posts will detail our research methodology and journey in exploiting different devices. We start with some EXIF basics and end up with shellcode execution after reconfiguring the MMU of the RTOS.

HTML to PDF Renderer: A tale of local file access and shellcode execution

Alain — Fri, 02 May 2025 00:00:00 GMT

In a recent engagement, we found an HTML to PDF converter API endpoint that allowed us to list local directories and files on a remote server. One of the PDF files we created, revealed that the converter was using a .NET renderer framework based on Chromium 62. With this, we were able to gain remote code execution by porting a Chromium 62 exploit to the particular version of the renderer.

The Key to COMpromise - Writing to the Registry (again), Part 4

Alain,Kolja — Wed, 26 Feb 2025 00:00:00 GMT

In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all relevant background information, describe our approach to reverse engineering the products' internals, and explain how we finally exploited the vulnerabilities. We hope to shed some light on this undervalued attack surface.

The Key to COMpromise - Downloading a SYSTEM shell, Part 3

Alain,Kolja — Wed, 12 Feb 2025 00:00:00 GMT

Introducing HyperHook: A harnessing framework for Nyx

Alain,Konstantin — Wed, 05 Feb 2025 00:00:00 GMT

In this post, we introduce HyperHook, a harnessing framework for snapshot-based fuzzing for user-space applications using Nyx. HyperHook simplifies guest-to-host communication and automates repetitive tasks, making the fuzzing process more efficient.

The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM, Part 2

Alain,Kolja — Wed, 29 Jan 2025 00:00:00 GMT

Windows BitLocker -- Screwed without a Screwdriver

Thomas — Fri, 17 Jan 2025 00:00:00 GMT

Breaking up-to-date Windows 11 BitLocker encryption -- on-device but software-only

On Secure Boot, TPMs, SBAT, and downgrades -- Why Microsoft hasn't fixed BitLocker yet

Thomas — Fri, 17 Jan 2025 00:00:00 GMT

On Secure Boot, TPMs, SBAT and Downgrades -- Why Microsoft hasn't fixed BitLocker yet

The Key to COMpromise - Pwning AVs and EDRs by Hijacking COM Interfaces, Part 1

Alain,Kolja — Wed, 15 Jan 2025 00:00:00 GMT

Solana Consensus - From Forks to Finality

Jonas,Thomas — Mon, 16 Dec 2024 00:00:00 GMT

Explore Solana Consensus

From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities

Konstantin — Thu, 21 Nov 2024 00:00:00 GMT

Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution. This post reveals how even trusted tools can become targets, highlighting the importance of robust defenses for security systems themselves.

RCE on the HP M479fdw printer

Alain,Felipe,Robert,Marius — Thu, 10 Oct 2024 00:00:00 GMT

Two years ago, Neodyme targeted the "SOHO Smashup" chain at Pwn2Own Toronto 2022, featuring a Netgear RAX30 router and an HP M479fdw printer and successfully gained remote code execution on both devices, pivoting from the router to the printer. This post covers the technical aspects of our first printer exploitation journey, resulting in reliable code execution via the printer discovery service.

SPL Token-2022: Don't shoot yourself in the foot with extensions

Mathias — Tue, 10 Sep 2024 00:00:00 GMT

We go through the new functionalites, potential security pitfalls, and best practices for secure implementation of the new token extensions.

Riverguard: How to Get Access to Findings for Your Contract

Tobias — Tue, 23 Jul 2024 00:00:00 GMT

Riverguard searches for potential vulnerabilities in all programs deployed on Solana mainnet. Here's how to get access to all findings in your smart contract(s), free of charge.

Riverguard: Fishing for Loss of Funds in the Stream of Solana Transactions

Thomas — Thu, 29 Feb 2024 00:00:00 GMT

Riverguard, the free first line of defense for all Solana contracts

Hidden GitHub Commits and How to Reveal Them

Tobias — Fri, 16 Feb 2024 00:00:00 GMT

We have created a tool for GitHub that can reveal commits that potentially contain sensitive information and are not accessible via the public Git history, but that may be of interest or were intentionally deleted.

How to Hack a DAO

Robert — Wed, 24 Jan 2024 00:00:00 GMT

DAOs add a social layer to the otherwise technical execution of blockchain transactions. By exploiting common misconceptions about how they actually work, attackers can 'hack a DAO'.

CS:GO: From Zero to 0-day

Felipe,Alain — Sat, 13 May 2023 00:00:00 GMT

We identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to our malicious python CS:GO server. This post details our journey through the CS:GO binary and conducts a technical deep dive into various identified bugs. We conclude by presenting a proof of concept (POC) exploit that leverages four different logic bugs into remote code execution in the game's client, triggered when a client connects to the server.

Nonce Upon a Time, or a Total Loss of Funds - Exploring Solana Core Part 3

Nico,Ruben,Robert,Jasper — Fri, 10 Mar 2023 00:00:00 GMT

This blog post details the first ever loss-of-funds bug we found in Solana Core. The bug would have allowed us to write arbitrary data to any account on the Solana Blockchain. This has many devastating implications. An attacker with this power can: - Mint any amount of any token - Steal other accounts' Sol, or tokens - Change ownership of any NFT - Delete their liabilities in any lending protocol In short: we could have done pretty much anything we wanted, short of minting new SOL.

Secure Randomness: From Zero to Verifiable Delay Functions, Part 2

Jasper — Mon, 14 Nov 2022 00:00:00 GMT

For many different purposes, the blockchain space needs a trustless, general-purpose source of randomness. In the first post, we saw that almost all sources of general on-chain randomness that are currently in use have fundamental flaws (the severity of which varies). So how can we fix this? In this post, we focus on employing Verifiable Delay Functions (VDFs) for on-chain randomness. We describe what VDFs are and why it's not clear they even exist. We also discuss one of the most promising candidates for a VDF and examine what difficulties an on-chain implementation of a scheme using that VDF candidate would face. Finally, we also spend some time examining a VDF implementation that is already being used in practice, namely in the consensus algorithm of the Chia blockchain.

Stake², or How To Cheat The Staking Mechanism - Exploring Solana Core Part 2

Nico,Thomas — Mon, 24 Oct 2022 00:00:00 GMT

Over the past two years, we have spent a lot of time reviewing Solana core code, reporting over 80 bugs of varying severity. This is the second in a series of blog posts detailing what we found the most interesting vulnerabilities that we reported in Solana Core. All bugs were responsibly disclosed under the [Solana bug bounty program](https://github.com/solana-labs/solana/blob/master/SECURITY.md) and subsequently fixed. With this, we hope to inspire more whitehats to keep the ecosystem safe. In this post, we present a vulnerability that would have allowed us to give an unlimited amount of stake to our own or a cooperating validator.

Secure Randomness: From Zero to Verifiable Delay Functions, Part 1

Jasper,Nico — Wed, 19 Oct 2022 00:00:00 GMT

A secure source of randomness is one of the most critical components of many decentralized applications. However, perhaps surprisingly, there is currently no on-chain source of randomness that is truly trustless. Almost all solutions that have been used in practice are either fundamentally broken or require the participants involved to trust each other or a third party. Why is that? In this two-part series, we'll discuss the different attempts to construct a secure source of randomness, and why all currently known solutions have fundamental shortcomings in some aspect.

Why Auditing the Code is Not Enough: A Discussion on Solana Upgrade Authorities

Nico,Thomas,Jasper — Mon, 20 Jun 2022 00:00:00 GMT

Recently, there’s been a lot of buzz around a DAO vote of Solend – one of Solana’s largest lending projects. It seeks to enact restrictions on large positions, and to temporarily take control of an existing user's position in order to liquidate it in a controlled fashion. This can be done by upgrading the smart contract's code. But wait! Aren't smart-contracts supposed to be immutable? Only in a perfect world. No code is perfect and smart contracts aren't either, so it can be necessary to change or fix them. This is called a program upgrade. In this post, we'll give an overview of one of the most fundamental and yet somehow often-overlooked aspects of the security of a smart contract, namely: Who has the power to initiate program upgrades? How can users be sure that the developers don't make undesired changes? Or even worse, just run off with their money?

How a Little-Known Solana Feature Made Program Vaults Unsafe - Exploring Solana Core Part 1

Nico,Thomas — Wed, 01 Jun 2022 00:00:00 GMT

Over the past year and a half, we have spent a lot of time looking at the Solana core code, reporting over 80 bugs of varying severity. This blog post is the first in a series detailing the most interesting vulnerabilities we found and reported in Solana core, hopefully inspiring more whitehats to keep the ecosystem safe. All bugs presented here were responsibly disclosed under the [Solana bug bounty program](https://github.com/solana-labs/solana/blob/master/SECURITY.md) and are now fixed.

How to Become a Millionaire, 0.000001 BTC at a Time

Nico,Thomas — Fri, 03 Dec 2021 00:00:00 GMT

We recently discovered a critical bug in the token-lending contract of the Solana Program Library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix. The total TVL at risk was about 2.600.000.000 USD. Some low-value coins are not economically viable to steal, but the potential profit was easily in the hundreds of millions. The bug was fixed, and dapps updated promptly to close the vulnerability.

Solana Smart Contracts: Common Pitfalls and How to Avoid Them

Ilias,Jasper,Neodyme Audit Team — Fri, 20 Aug 2021 00:00:00 GMT

In this post, we want to raise awareness about the five most common vulnerabilities in Solana contracts that we keep finding during our audits. We'll keep the vulnerability descriptions short and concise and provide a simplified example as well as a TL;DR for each vulnerability so that you can easily reference them while coding.

Reversing a Fingerprint Reader Protocol

Thomas — Thu, 27 May 2021 00:00:00 GMT

The sensor uses TLS-PSK over USB. We overwrite the PSK and are able to read images.

MacOS: Unauthd - Logic bugs FTW

Ilias — Fri, 31 Jul 2020 00:00:00 GMT

This blog post is about a MacOS LPE chain I wrote and reported back in February. It features three logic bugs to go from user to root with System Integrity Protection (SIP) bypass to kernel. Since I'm not exploiting any memory corruptions or other vulnerabilities that aren't 100% deterministic, this chain is fully reliable which I think is cool ;). It runs on MacOS < 10.15.5