Intro – This section will mostly set the scene for the talk, describing what I'm going to cover.

1. whoami
2. Talk about my "spidey sense", leading to the high level key points of the presentation.
3. Introduction of core talk topic. (Vendors) using privileged services in silly, insecure ways in 2025 (i.e., named pipes, tcp, com, etc.)

Patient zero – This section will introduce what spawned the deeper dive.

Asus DriverHub Vulnerabilities

1. Software composition discovery
2. Analysis of how it was possible to reboot my computer from a browser. This section will focus on various reversing techniques which include obfuscated JavaScript analysis and native binary reversing to reveal their relationship with each other.
3. Reproduction of the HTTP request required (more reversing) to reboot a target computer.
4. Discovery of the HTTP Origin header check bypass - impact: visiting a malicious link (hacked website, link on social media/discord) can reboot your computer
5. Upgrading to code execution: from origin header bypass to abusing broken a PE code signature validation implementation.

MSI Centre Vulnerabilities

1. Attack surface discovery
2. Custom communication protocol between privileged and unprivileged application components.
3. Reversing .Net binaries to uncover the custom protocol. For this section I'll also emphasise the often forgotten value of re-enabling logging that is usually disabled in production builds to aid reversing efforts.
4. POC to reboot computer using the reversed custom protocol.
5. Discovery of first LPE abusing a TOCTOU vulnerability in a core MSI application component.
6. Discovery of second, simpler LPE which is a trivial, unprotected application component (lame!).

AcerControlCenter

1. Attack surface discovery
2. .Net reversing of client-side code. Ripping and re-implementing of code to get an easy custom protocol client.
3. Server side native code reversing and enumeration of a dynamic feature and protocol implementation structure (will be quite technical, but fun!)
4. Initial code execution POC, as a non-privileged user. (I almost stopped here but later came back to double check my work as the service was running as SYSTEM. Reversing fooled me into thinking it was dropping privileges before running commands. Spoiler alert, it was not!)
5. Coming back and using Frida for more reversing to turn code execution into privileged code execution. Additional mention of mt.exe (https://learn.microsoft.com/en-us/windows/win32/sbscs/mt-exe) to add a manifest to get full, privileged POC working.
6. Discovery of remote, privileged RCE thanks to poor permissions on a named pipe.

Razer Synapse 4 LPE

1. Attack surface discovery
2. Discovery of a COM interface and challenges calling it.
3. Electron client reversing and discovery of razers private fork of ffi-rs (https://www.npmjs.com/package/ffi-rs).
4. Dynamic use of a patched client DLL with code signing patched out (dangers of doing codesigning in the wrong place) to gain privileged code execution. This section was actually quite a lot of work as there were many, many moving parts to getting code execution to finally work. Depending on how the presentation building goes, I might skip some of the boring details here, leaving them for the accompanying blog post.

PipeTap

1. Introduction to a new Windows Named Pipe proxy I have been workin on called PipeTap.
2. Demo and link to source code for the community.

Conclusion

1. Look out for this common pattern of installing and interfacing with a privileged service (via Named Pipes, TCP services, COM, RPC, etc.)
2. Encouragement to go hunt for more! Really, seven days, seven CVE's was just too easy.
3. Do better, everyone! It's 2025, really.