Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ESC4 detection to ldap_esc_vulnerable_cert_finder module #19816

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Add ESC4 detection to ldap_esc_vulnerable_cert_finder module #19816

merged 2 commits into from
Jan 24, 2025

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Jan 20, 2025
edited by smcintyre-r7
Loading

This adds support for ESC4 to the ldap_esc_vulnerable_cert_finder module. Certificates vulnerable to ESC4 are certs where the user enumerating can edit them. The idea being that if the user has edit permissions they can modify the cert to be vulnerable to ESC1 then exploit it to get domain admin on the DC.

This addition works by first running an LDAP query to determine what user we are authenticating with and what security groups they are a part of. The module then gets a list of all certificate templates and determines whether the user has the ability to edit any of them.

Verification Steps

First deploy a vulnerable template with ad_cs_cert_template

  • Do use admin/ldap/ad_cs_cert_template
  • Do set TEMPLATE_FILE data/auxiliary/admin/ldap/ad_cs_cert_template/esc4_template.yaml
  • Do set CERT_TEMPLATE VulnToEsc4
  • Do set action CREATE
  • Input domain admin credentials:DOMAIN PASSWORD RHOSTS USERNAME
  • Go in to the certsrv on the domain controller, right click Certificate Templates -> New -> Certificate Template to Issue and select VulnToEsc4

Ensure ldap_esc_vulnerable_cert_finder finds the vulnerable certificate

  • Do use gather/ldap_esc_vulnerable_cert_finder
  • Run the module with a low privilege user: run domain=kerberos.issue password=N0tpassword! rhost=172.16.199.200 username=msfuser
  • Verify VulnToEsc4 appears vulnerable to ESC4.

Note if you run the vulnerable cert finder with a domain admin as you might expect, almost all templates should be reported as vulnerable to ESC4.

Testing

msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE VulnToEsc4
CERT_TEMPLATE => VulnToEsc4
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /Users/jheysel/rapid7/metasploit-framework/data/auxiliary/admin/ldap/ad_cs_cert_template/esc4_template.yaml
TEMPLATE_FILE => /Users/jheysel/rapid7/metasploit-framework/data/auxiliary/admin/ldap/ad_cs_cert_template/esc4_template.yaml
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set domain kerberos.issue
domain => kerberos.issue
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set password N0tpassword!
password => N0tpassword!
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set rhost 172.16.199.200
rhost => 172.16.199.200
smsf6 auxiliary(admin/ldap/ad_cs_cert_template) > set username Administrator
username => Administrator
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
[*] Running module against 172.16.199.200
[*] Discovering base DN automatically
[*] Creating: CN=VulnToEsc4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[+] The operation completed successfully!
[*] Auxiliary module execution completed

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run domain=kerberos.issue rhost=172.16.199.200 username=msfuser password=Derpderp69!
[*] Running module against 172.16.199.200
[*] Discovering base DN automatically
[!] Couldn't find any vulnerable ESC13 templates!
[+] Template: Copy of Web Server
[*]   Distinguished Name: CN=Copy of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC1, ESC2
[*]   Notes:
[*]     * ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs permit authentication
[*]     * ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[+] Template: WebServer
[*]   Distinguished Name: CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4, ESC15
[*]   Notes:
[*]     * ESC4: The user msfuser is a part of the following groups: (Authenticated Users) which have edit permissions over the template WebServer making it vulnerable to ESC4
[*]     * ESC15: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema-Version)
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[+] Template: ExchangeUserSignature
[*]   Distinguished Name: CN=ExchangeUserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4, ESC15
[*]   Notes:
[*]     * ESC4: The user msfuser is a part of the following groups: (Authenticated Users) which have edit permissions over the template ExchangeUserSignature making it vulnerable to ESC4
[*]     * ESC15: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema-Version)
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[+] Template: CAExchange
[*]   Distinguished Name: CN=CAExchange,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The user msfuser is a part of the following groups: (Authenticated Users) which have edit permissions over the template CAExchange making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[+] Template: Copy 2 of Web Server
[*]   Distinguished Name: CN=Copy 2 of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes:
[*]     * ESC4: The user msfuser has edit permissions over the template Copy 2 of Web Server making it vulnerable to ESC4
[*]     * ESC4: The user msfuser is a part of the following groups: (Authenticated Users) which have edit permissions over the template Copy 2 of Web Server making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1000 (msfuser)
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1000 (msfuser)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*] Auxiliary module execution completed

@rapid7 rapid7 deleted a comment from Theivaraj1211 Jan 20, 2025
@smcintyre-r7 smcintyre-r7 self-assigned this Jan 21, 2025
@smcintyre-r7 smcintyre-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 21, 2025
@jheysel-r7 jheysel-r7 marked this pull request as ready for review January 22, 2025 05:15
smcintyre-r7
smcintyre-r7 approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good to go now. I tested a few different cases for how the cert could be vulnerable and it identified all of them.

[+] Template: ESC4-Test
[*]   Distinguished Name: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: wrabbit is a part of the following groups: (Authenticated Users) which have edit permissions over the template ESC4-Test making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-11 (Authenticated Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
[*]     Enrollment SIDs:
[*] Successfully queried (objectSID=S-1-5-11).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[+] Template: ESC4-Test1
[*]   Distinguished Name: CN=ESC4-Test1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: wrabbit is a part of the following groups: (Domain Users) which have edit permissions over the template ESC4-Test1 making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
[*]     Enrollment SIDs:
[*] Successfully queried (objectSID=S-1-5-11).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[+] Template: ESC4-Test2
[*]   Distinguished Name: CN=ESC4-Test2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: wrabbit is a part of the following groups: (Technical Staff) which have edit permissions over the template ESC4-Test2 making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-2103 (Technical Staff)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-2103 (Technical Staff)
[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
[*]     Enrollment SIDs:
[*] Successfully queried (objectSID=S-1-5-11).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[+] Template: ESC4-Test3
[*]   Distinguished Name: CN=ESC4-Test3,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: wrabbit has edit permissions over the template ESC4-Test3 making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-2102 (wrabbit)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-2102 (wrabbit)
[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
[*]     Enrollment SIDs:
[*] Successfully queried (objectSID=S-1-5-11).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*] Auxiliary module execution completed

Then in this run, I changed from a user account to a computer account and validated that the primary group ID logic is working and it's detecting that ESC4-Test4 is vulnerable because the Domain Computers group has write access to it.

[+] Template: ESC4-Test4
[*]   Distinguished Name: CN=ESC4-Test4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]   Manager Approval: Disabled
[*]   Required Signatures: 
[+]   Vulnerable to: ESC4
[*]   Notes: ESC4: The account: DESKTOP-5V184QI2$ is a part of the following groups: (Domain Computers) which have edit permissions over the template ESC4-Test4 making it vulnerable to ESC4
[*]   Users or Groups SIDs with Certificate Template write access:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-515 (Domain Computers)
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]     * S-1-5-21-3978004297-3499718965-4169012971-515 (Domain Computers)
[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
[*]     Enrollment SIDs:
[*] Successfully queried (objectSID=S-1-5-11).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-519).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*] Successfully queried (objectSID=S-1-5-21-3978004297-3499718965-4169012971-512).
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
[*] Auxiliary module execution completed

@smcintyre-r7 smcintyre-r7 merged commit 4a8ad46 into rapid7:master Jan 24, 2025
39 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds support to the existing ldap_esc_vulnerable_cert_finder for identifying certificate templates that are vulnerable to ESC4 from the perspective of the authenticated user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jheysel-r7 @smcintyre-r7