Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 2

This document details how NTFS alternate data streams (ADS) can be exploited to bypass security assumptions and achieve privilege escalation. The technique, discovered by researcher Abdelhamid Naceri, leverages the fact that directories with ADS are considered empty, allowing for NTFS junction creation even after a program has checked for directory emptiness. This technique is illustrated through two vulnerabilities: CVE-2024-0353 in ESET Security products and CVE-2024-7238 in VIPRE Advanced Security. Both vulnerabilities involve real-time protection features that delete detected malicious files. The exploit involves creating an ADS containing an EICAR test string and monitoring for changes in file attributes or timestamps. Once a change is detected, signaling an imminent deletion, an NTFS junction is created, pointing to a target file the attacker wishes to delete. The exploit succeeds because both ESET and VIPRE fail to take necessary precautions when opening files for deletion, such as checking for reparse points or properly implementing impersonation. This allows attackers to redirect the deletion operation to arbitrary files, including system-critical ones, leading to privilege escalation. The document emphasizes that several vendors and products may be vulnerable to this technique due to a lack of testing and encourages them to offer free trials for security research. It also highlights the importance of proper impersonation implementation to prevent such vulnerabilities. The authors urge defenders to evaluate their products for these potential weaknesses and vendors to prioritize security testing and responsible disclosure practices. This detailed analysis of the ADS exploitation technique serves as a warning and a call to action for the cybersecurity community.