Exploitation for Priv-Esc × ESET Smart Security Premium

A local privilege escalation vulnerability (CVE-2024-0353) in ESET Smart Security Premium allows a standard user to delete arbitrary files as SYSTEM by exploiting a time-of-check-to-time-of-use (TOCTOU) race condition in the real-time prote

The attacker creates a file with an EICAR test string and sets its attributes to non-normal. When ESET's ekrn.exe service scans and prepares to delete the file, it changes attributes to FILE_ATTRIBUTE_NORMAL as a precursor. The attacker polls for this change, then uses an NTFS alternate data stream attached to a directory to keep it technically empty during checks. After the check, the attacker creates an NTFS junction from that directory to a target (e.g., C:\Config.msi) and an Object Manager symbolic link in a writable directory (e.g., \RPC CONTROL) to redirect the delete operation, causing ekrn.exe to delete the target directory with SYSTEM privileges.

Monitor for suspicious NTFS junction and alternate data stream creation, especially from non-privileged processes targeting protected directories like C:\Config.msi. Enforce least privilege and apply vendor patches for CVE-2024-0353 to mitigate the TOCTOU race condition.