๐ Secure Bits ๐ก
Have you ever heard of ๐๐ฆ๐ ๐๐๐น๐ป๐ฒ๐ฟ๐ฎ๐ฏ๐ถ๐น๐ถ๐๐ถ๐ฒ๐? I guess you have.
If you’re running ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ ๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐ (๐๐ ๐๐ฆ) and haven’t audited it for ESC misconfigurations โ you may be sitting on a ๐๐ถ๐ฐ๐ธ๐ถ๐ป๐ด ๐๐ถ๐บ๐ฒ ๐ฏ๐ผ๐บ๐ฏ.ย ๐ฃ
๐ฏ ESC vulnerabilities (Enterprise PKI Escalation Paths) are incredibly ๐ฐ๐ผ๐บ๐บ๐ผ๐ปย and highly ๐ฑ๐ฎ๐ป๐ด๐ฒ๐ฟ๐ผ๐๐. Yetโฆ most environments I assess treat AD CS like a black box โ โItโs working, so letโs not touch it.โ
But attackers love AD CS โ it often lets them ๐ฒ๐๐ฐ๐ฎ๐น๐ฎ๐๐ฒ ๐๐ผ ๐๐ผ๐บ๐ฎ๐ถ๐ป ๐๐ฑ๐บ๐ถ๐ป using just a basic user account. No exploits. Just misconfigurations.
๐๐ฒ๐โ๐ ๐ฏ๐ฟ๐ฒ๐ฎ๐ธ ๐ฑ๐ผ๐๐ป ๐๐ฆ๐๐ญย ๐
ESC1 = Certificate Template Misconfig
It lets a regular user request a certificate that can later be used to authenticate as someone else โ including privileged users.
๐ง๐ผ ๐ฏ๐ฒ ๐๐๐น๐ป๐ฒ๐ฟ๐ฎ๐ฏ๐น๐ฒ, ๐ฎ๐น๐น ๐ผ๐ณ ๐๐ต๐ฒ๐๐ฒ ๐ฎ๐ฟ๐ฒ ๐๐ฟ๐๐ฒ:
โ
Non-privileged users can enroll in a certificate template
โ
Manager approval is not required
โ
No authorized signature is required
โ
The template supports client authentication (PKINIT, Smart Card, etc.)
โ
The requester can define the Subject Alternative Name (SAN)
๐๐ป๐ฑ ๐ฟ๐ฒ๐๐๐น๐?
A low-privileged user can impersonate anyone โ including a Domain Admin โ using the certificate.
๐ ๏ธ ๐๐ผ๐ ๐๐ผ ๐ฐ๐ต๐ฒ๐ฐ๐ธ ๐๐ผ๐๐ฟ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐:
There are free tools for this:
๐น ADProbe โ My AD vulnerability scanner
๐น Locksmith by Jake Hildreth โ covers almost all ESC vulnerabilities
๐น …
๐ฏ There are ๐ญ๐ฒ ๐๐ฆ๐๐ ๐ถ๐ป ๐๐ผ๐๐ฎ๐น.
Iโll be covering them in upcoming Secure Bits posts.
๐ Did you already know what ESC1 was about?
