Use LDAP_SERVER_SD_FLAGS_OID flag to prevent retrieving SACL as a non-admin user

[gwillcox-r7]

Fixes #17324

The SACL part of the ntSecurityDescriptor object in LDAP cannot be retrieved by non-admin users as noted at https://twitter.com/tifkin_/status/1372628611677753344/photo/1. Also noted in this same photo is that it is possible to get around this by using the 1.2.840.113556.1.4.801 control, aka LDAP_SERVER_SD_FLAGS_OID, with a value of 0x7, we remove bit 8, aka 0x8, or the SACL_SECURITY_INFORMATION bit, so that we no longer retrieve the SACL from our requests. More technical details on this can be found at https://ldapwiki.com/wiki/LDAP_SERVER_SD_FLAGS_OID.

This adjustment requires some changes to the way that net-ldap works though. A monkey patch has been made and is applied in this code whilst I await the fix I pushed up to upstream at https://github.com/ruby-ldap/ruby-net-ldap/pull/411/files to be landed.

This will allow us specify our own controls to the search requests via an additional control keyword attribute, whereas currently the Net-LDAP code does not presently support doing this.

Verification

• Start msfconsole
• use auxiliary/gather/ldap_esc_vulnerable_cert_finder
• set BIND_DN <low-priv domain-joined user>
• set BIND_PW <low-priv domain-joined user password>
• set RHOST <IP address of ADCS server that is part of the same domain as the domain-joined user>
• run
• Verify that before the patch you get an error due to no ntSecurityDescriptor attributes being available to the low privileged user, but now the module works fine.

[gwillcox-r7]

Added in a PR to upstream to try fix the library issue at ruby-ldap/ruby-net-ldap#411. Hopefully this might help us avoid having to hot patch this but in the event that we do need to this will open up the opportunity to remove the hotfix should this be merged in upstream.

[sempervictus]

Some time ago, i PRd a bunch of my net-* hacks including one for net-ldap which converts the upstream libs to use Rex::Socket. That shim could be used for various internal extensions for net-ldap beyond the sockets fix.

[smcintyre-r7]

Changes look good to me. I reviewed the changes to the net-ldap lib in the dedicated PR, and the rest is existing code.

I was able to reproduce the original issue and verify this fixed it.

I also tested running the module with a domain admin and ran a couple of queries with the dedicated gather/ldap_query module to ensure that is still working as well.

The only thing I'd suggest and I can do this while I land it is adding references to the original issue and net-ldap PR into the comment you have here for the patch.

[smcintyre-r7]

Release Notes

This adds the necessary control to the search queries used to find vulnerable certificate templates in an ADCS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.