CVE-2019-9730: Synaptics Audio Driver LPE
The vulnerability in this driver package was with the CxUtilSvc system service. It hosted a COM object that low-privileged code can use to perform arbitrary reads and writes to the registry as SYSTEM. The .NET code adds the
IRegistryHelper COM interface as a reference to invoke its methods.
In terms of exploitation, a less subtle approach is used that replaces the binary path of a given service with a command that creates a local Administrator account. Although standard user accounts cannot start/stop every service, there is usually a small subset where they can (e.g.
ose). They can also reboot the system if they cannot immediately start a service.
Write-up and technical advisory here: http://jackson-t.ca/synaptics-cxutilsvc-lpe.html.
This list is not comprehensive.