๐ Secure Bits ๐ก
Weโre back with the next post in the ๐๐ฆ๐ ๐๐๐น๐ป๐ฒ๐ฟ๐ฎ๐ฏ๐ถ๐น๐ถ๐๐ series.
Today, weโre diving into ๐๐ฆ๐๐ฏ โ one of the more overlooked but equally dangerous AD CS misconfigs. If you missed the previous ones, ๐ฐ๐ต๐ฒ๐ฐ๐ธ ๐ผ๐๐ ๐๐ฆ๐๐ญ ๐ฎ๐ป๐ฑ ๐๐ฆ๐๐ฎ for context.
๐๐ฒ๐โ๐ ๐ท๐๐บ๐ฝ ๐ถ๐ป๐๐ผ ๐๐ฆ๐๐ฏย ๐
๐๐ฆ๐๐ฏ = ๐๐ป๐ฟ๐ผ๐น๐น๐บ๐ฒ๐ป๐ ๐๐ด๐ฒ๐ป๐ ๐๐ฏ๐๐๐ฒ๐ฑ
This oneโs a big deal โ it allows a non-privileged user to act as a certificate authority in disguise. If ESC3 exists in your environment, an attacker can issue certificates on behalf of any identity, including Domain Admins.
๐๐ผ๐ ๐ฑ๐ผ๐ฒ๐ ๐๐ฆ๐๐ฏ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป?
โ
Non-privileged users can enroll in the template
โ
Manager approval is not required
โ
No authorized signature is required
โ
Template contains the Certificate Request Agent EKU
โ No restrictions placed on who can use Enrollment Agent templates
๐ช๐ต๐ฎ๐ ๐ฑ๐ผ๐ฒ๐ ๐๐ต๐ฒ ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ ๐ฑ๐ผ?
1๏ธโฃ Enrolls in the vulnerable Enrollment Agent template
2๏ธโฃ Uses the resulting cert to request a new certificate for any other user (e.g., Domain Admin)
โก๏ธ There must be another interesting template so you have what to request for (for example some Authentication EKU for impersonation)
3๏ธโฃ Authenticates as that user โ game over.
๐ช๐ฎ๐ป๐ ๐๐ผ ๐๐ฒ๐๐ ๐๐ผ๐๐ฟ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐?
Check out tools like:
๐น ADProbe (my security auditing tool)
๐น Locksmith by Jake Hildreth
๐น Certipy
๐น …
Did you already know about ESC3? Or is this a blind spot for your org?
