vuln disclosure
ESET Smart Security Premium Privilege Escalation via NTFS Alternate Data Stream JunctionCVE-2024-0353
A local privilege escalation vulnerability (CVE-2024-0353) in ESET Smart Security Premium allows a standard user to delete arbitrary files as SYSTEM by exploiting a time-of-check-to-time-of-use (TOCTOU) race condition in the real-time protection feature. The attack leverages NTFS alternate data streams to keep a directory empty during file scanning, then creates a junction to redirect a delete operation to a protected directory like C:\Config.msi. This technique, introduced by researcher Abdelhamid Naceri, bypasses assumptions about directory emptiness and can potentially affect other security products.