In the never-ending battle for software security, even trusted utilities like system clean-up tools can become dangerous if they overlook subtle file system tricks. In this write-up, I’ll walk you through how I discovered a Local Privilege Escalation (LPE) vulnerability in Acronis True Image 2021, which earned me a $250 bounty.

Using Directory Junctions, I was able to delete sensitive system files like hosts from C:\\Windows\\System32\\drivers\\etc — all without administrative privileges.

Impact Summary:

An unprivileged user could leverage the System Clean-up feature to delete protected files and folders, leading to potential system misconfiguration or persistence mechanisms being destroyed.

The System Clean-up feature in Acronis True Image allows users to clean temporary files, browser data, history, and more. While symlink-based attacks were protected against, the tool was vulnerable to Directory Junction attacks.