The issue is with permissions in the directory.
The directory “C:\Program Files (x86)\Wondershare\drfone\Library\DriverInstaller” allows any user to have full control of it. The issue with this is that DriverInstall.exe is located in this directory. An attacker can replace the DriverInstall.exe with their malicious executable with the same name. Then the attacker would start or restart the service: WsDrvInst (Wondershare Driver Install Service) And the executable will kick off as system.
This is a privilege escalation to system from any user.
Here are the permissions given the directory after install
get-acl “C:\Program Files (x86)\Wondershare\drfone\Library\DriverInstaller” |flPath : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Wondershare\drfone\Library\DriverInstallerOwner : BUILTIN\AdministratorsGroup BUILTIN\Users Allow FullControl
The key here is that Access : BUILTIN\Users Allow FullControl (this should not be there)
That gives all users full control over the files in this directory. There is an executable being called as system when the service Wondershare Driver Install Service is ran. So any user can become system on any machine that has the software installed.