ADSelfService-Plus-PoC CVE-2019-12476

ADSelfService Plus version 4.3.3 PoC for an authentication bypass on Windows 10. Affects all versions of Windows

PoC Video

Steps to repoduce

Disconnect from your enterprise network
Connect to your own hotspot
Click on reset password; the thick client browser should error out with a 404 if the password reset web application is hosted in the intranet
Click on search for this site which should open a new internet explorer window.
Press Ctrl S to open file explorer and browse to c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Get System Shell without any authentication required.

Fix

Update to the latest version 5.0.6

Provide feedback