Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a bug in ACE processing when searching for ESC vulnerabilities #17968

Merged
merged 2 commits into from
May 8, 2023
Merged

Fix a bug in ACE processing when searching for ESC vulnerabilities #17968

merged 2 commits into from
May 8, 2023

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented May 5, 2023
edited by gwillcox-r7
Loading

This fixes a bug I noticed while working on #17965 where the Certificate Template was not being identified as vulnerable after it had been updated.

The issue was in the ACE processing where only ACEs corresponding to an object were processed for SIDs with enrollment rights. The processing should also process ACEs that grant the enrollment right and are not related to any objects. In other words, only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT or CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right should be ignored.

Verification

Using the changes from #17965:

  • Follow the verification steps and after the target template (ESC4-Test) has been updated, run this module
  • This module should identify that the re-configured ESC4-Test template is:
    Both of these qualities can be checked with the READ action from the new ad_cs_cert_template module in the aforementioned PR
    • Vulnerable to ESC1 because the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set
    • Vulnerable to ESC2 because the pKIExtendedUsage field is empty

Demo (New and Improved)

Without these changes, the ESC4-Template would not have been identified as being vulnerable to any of the attacks.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > rerun
[*] Reloading module...
[*] Running module against 192.168.159.10

[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[*] Template: ESC4-Test
[*]    Distinguished Name: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*]    Vulnerable to: ESC1, ESC2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]    Issuing CAs:
[*]       * msflab-DC-CA
[*]          Server: DC.msflab.local
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-3402587289-1488798532-3618296993-519 (Enterprise Admins)
[*]             * S-1-5-21-3402587289-1488798532-3618296993-512 (Domain Admins)

@smcintyre-r7 smcintyre-r7 added module bug rn-fix release notes fix labels May 5, 2023
zeroSteiner
zeroSteiner commented May 5, 2023
View reviewed changes
modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
Comment on lines -85 to -91
if (ace_body.access_mask.protocol & CONTROL_ACCESS) != 0 && (object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
if ace_string.match(/DENIED/)
flag_allowed_to_enroll = false
elsif ace_string.match(/ALLOWED/)
flag_allowed_to_enroll = true
allowed_sids << ace_body[:sid].to_s
end
Copy link
Contributor Author

@zeroSteiner zeroSteiner May 5, 2023
edited by gwillcox-r7
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic was causing the last flag_allowed_to_enroll value to be returned. That means that if the ACL ended in an ACE denying permissions to some account, the entire thing would be ignored. Now the update only processes SIDs that are allowed to enroll. This does contain an issue (that existed prior to these changes) in that if there is an explicit deny of a SID higher in the ACL, it will be ignored. I'm not sure how common this is. The solution I'd propose if this is a concern would be to create a second array of SIDs that are explicitly denied access and print them both for the user so they at least see the information. We don't really do any evaluation of the SIDs so it doesn't seem worth while to pursue the non-trivial endeavor of processing the ACEs in order to check if a particular SID (such as the currently authenticated user) matches an entry with a result of either allow or deny. This would mostly be complicated because of the nested groups that AD supports.

Anyways for now, let's just list the SIDs that are allowed and check if that list is empty (which is done by the caller instead of checking flag_allowed_to_enroll).

gwillcox-r7
gwillcox-r7 reviewed May 8, 2023
View reviewed changes
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes suggested. Main issue was not checking for a flag we were checking for before. Otherwise looks good!

modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb Show resolved Hide resolved
modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb Show resolved Hide resolved
@gwillcox-r7 gwillcox-r7 self-assigned this May 8, 2023
@gwillcox-r7
Copy link
Contributor

Before:

msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder 
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   BASE_DN                                no        LDAP base DN if you already have it
   DOMAIN                                 no        The domain to authenticate to
   PASSWORD                               no        The password to authenticate with
   REPORT_NONENROLLABLE  false            yes       Report nonenrollable certificate templates
   RHOSTS                                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                 389              yes       The target port
   SSL                   false            no        Enable SSL on the LDAP connection
   USERNAME                               no        The username to authenticate with


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
DOMAIN => DAFOREST
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME Administrator
USERNAME => Administrator
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD theAdmin123
PASSWORD => theAdmin123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > exploit
[*] Running module against 192.168.204.136

[*] Discovering base DN automatically
[+] 192.168.204.136:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: ESC1-Template
[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-513 (Domain Users)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: User
[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-513 (Domain Users)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: Administrator
[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: Machine
[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-515 (Domain Computers)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Template: DomainController
[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-498 (Enterprise Read-only Domain Controllers)
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-516 (Domain Controllers)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]       * S-1-5-9 (Enterprise Domain Controllers)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >

@zeroSteiner @gwillcox-r7
Fix a bug in ACE processing
cdab415 
There was an issue in the ACE processing where only ACEs corresponding
to an object were processed for SIDs with enrollment rights. The
processing should also process ACEs that grant the enrollment right and
are not related to any objects. In other words, only ACEs associated
with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT
or CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right should be ignored.
@gwillcox-r7
Copy link
Contributor

With updates:

msf6 > use auxiliary/admin/dcerpc/icpr_cert 
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.203.136
RHOSTS => 192.168.203.136
msf6 auxiliary(admin/dcerpc/icpr_cert) > show otpions
[-] Invalid parameter "otpions", use "show -h" for more information
msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

Module options (auxiliary/admin/dcerpc/icpr_cert):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   ALT_DNS                         no        Alternative certificate DNS
   ALT_UPN                         no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                              yes       The target certificate authority
   CERT_TEMPLATE  User             yes       The certificate template
   ON_BEHALF_OF                    no        Username to request on behalf of (format: DOMAIN\USER)
   PFX                             no        Certificate to request on behalf of
   RHOSTS         192.168.203.136  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        The Windows domain to use for authentication
   SMBPass                         no        The password for the specified username
   SMBUser                         no        The username to authenticate as


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
SMBDomain => DAFOREST
msf6 auxiliary(admin/dcerpc/icpr_cert) > set USERNAME normal
USERNAME => normal
msf6 auxiliary(admin/dcerpc/icpr_cert) > set password normal123
password => normal123
msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

Module options (auxiliary/admin/dcerpc/icpr_cert):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   ALT_DNS                         no        Alternative certificate DNS
   ALT_UPN                         no        Alternative certificate UPN (format: USER@DOMAIN)
   CA                              yes       The target certificate authority
   CERT_TEMPLATE  User             yes       The certificate template
   ON_BEHALF_OF                    no        Username to request on behalf of (format: DOMAIN\USER)
   PFX                             no        Certificate to request on behalf of
   RHOSTS         192.168.203.136  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain      DAFOREST         no        The Windows domain to use for authentication
   SMBPass        normal123        no        The password for the specified username
   SMBUser        normal           no        The username to authenticate as


Auxiliary action:

   Name          Description
   ----          -----------
   REQUEST_CERT  Request a certificate



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BRSHGJGIDFM-CA
CA => daforest-WIN-BRSHGJGIDFM-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC4-Template
CERT_TEMPLATE => ESC4-Template
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
ALT_UPN => Administrator@daforest.com
msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.204.136

[-] 192.168.204.136:445 - There was an error while requesting the certificate.
[-] 192.168.204.136:445 - Denied by Policy Module
[-] 192.168.204.136:445 - Error details:
[-] 192.168.204.136:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
[-] 192.168.204.136:445 -   HRESULT: (0x80094812) CERTSRV_E_SUBJECT_EMAIL_REQUIRED: The email name is unavailable and cannot be added to the Subject or Subject Alternate name.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >

Shows that we can't access the ALT_UPN field on ESC4-Template as the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set in the msPKI-Certificate-Name-Flag field.

 ~/git/metasploit-framework │ land-pr17965:pr/17965 *2 ?25  ./msfconsole                                                                                              ✔ │ 11s │ 3.0.5  │ 16:49:46 
[-] No results from searcht Framework console...|
[-] Failed to load module: exploit/multi/iiop/cve_2023_21839_weblogic_rce
                                                  

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.3.14-dev-c95f406c5e               ]
+ -- --=[ 2312 exploits - 1207 auxiliary - 412 post       ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Metasploit can be configured at startup, see 
msfconsole --help to learn more
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use auxiliary/admin/ldap/ad_cs_cert_template 
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME normal
USERNAME => normal
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD normal123
PASSWORD => normal123
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Template
CERT_TEMPLATE => ESC4-Template
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
ACTION => UPDATE
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
[*] Running module against 192.168.204.136

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.204.136:389 Getting root DSE
[+] 192.168.204.136:389 Discovered base DN: DC=daforest,DC=com
[+] Read certificate template data for: CN=ESC4-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*] Certificate template data written to: /home/gwillcox/.msf4/loot/20230508165115_default_192.168.204.136_windows.ad.cs.te_473755.json
[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/ad_cs_cert_template) >

Now to test the new updates:

msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder 
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normal
USERNAME => normal
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normal123
PASSWORD => normal123
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
DOMAIN => DAFOREST
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   BASE_DN                                no        LDAP base DN if you already have it
   DOMAIN                DAFOREST         no        The domain to authenticate to
   PASSWORD              normal123        no        The password to authenticate with
   REPORT_NONENROLLABLE  false            yes       Report nonenrollable certificate templates
   RHOSTS                192.168.204.136  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                 389              yes       The target port
   SSL                   false            no        Enable SSL on the LDAP connection
   USERNAME              normal           no        The username to authenticate with


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > exploit
[*] Running module against 192.168.204.136

[*] Discovering base DN automatically
[+] 192.168.204.136:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: ESC1-Template
[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-513 (Domain Users)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: ESC4-Template
[*]    Distinguished Name: CN=ESC4-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: User
[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-513 (Domain Users)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: Administrator
[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: Machine
[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-515 (Domain Computers)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Template: DomainController
[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-583768849-728913032-1533249101-498 (Enterprise Read-only Domain Controllers)
[*]       * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*]       * S-1-5-21-583768849-728913032-1533249101-516 (Domain Controllers)
[*]       * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]       * S-1-5-9 (Enterprise Domain Controllers)
[*]    Issuing CAs:
[*]       * daforest-WIN-BRSHGJGIDFM-CA
[*]          Server: WIN-BRSHGJGIDFM.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
[*]             * S-1-5-21-583768849-728913032-1533249101-519 (Enterprise Admins)
[*]             * S-1-5-21-583768849-728913032-1533249101-512 (Domain Admins)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >

@gwillcox-r7
Copy link
Contributor

Everything looks good, will get this landed so long now!

@gwillcox-r7 gwillcox-r7 merged commit 6dbee6e into rapid7:master May 8, 2023
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented May 8, 2023
edited by adfoster-r7
Loading

Release Notes

A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 left review comments

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug module rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zeroSteiner @gwillcox-r7 @smcintyre-r7