Many laptops come with preinstalled packages that enhance user experience by responding to gestures and shortcuts available via a touchpad. One of the most popular packages offering such functionality comes from Synaptics. My old laptop has it preinstalled as well and… that’s how this post was born.
While exploring the options of the program I discovered that you can associate a lot of various actions with buttons and areas/zones of the touchpad. Turns out that one such interesting action is… running an arbitrary program
I must mention that it is not a vulnerability – it is just a flexibility offered by the program allowing user to define what they want to do with their computer. But of course it could be abused as a persistence mechanism.
The place in the Registry where these paths are stored is shown below:
- LeftButtonAction = if equal 0 the default touchpad action is overridden with the action of the plugin defined by the next 2 entries below (LeftButtonPlugInID & LeftButtonPlugInActionID)
- LeftButtonPlugInID = changed to ‘SynTP’
- LeftButtonPlugInActionID = if this ActionID is equal to 5 then it is program execution
Right button (and other buttons, if present) as well as zones all have similar set of settings (again, their actual availability depends on a touchpad model/hardware/); the respective registry entries are:
and each of them have the respective ‘ActionID’ settings e.g.:
- TopRightCornerPlugInID -> TopRightCornerPlugInActionID
The chance we will come across it on real cases are pretty low, but just adding it here for completeness.