Ready to learn?

ESC Vulnerabilities

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—™๐—ฟ๐—ผ๐—บ ๐—ฉ๐—ฒ๐—ป๐—ฑ๐—ผ๐—ฟ ๐—œ๐—ป๐˜๐—ฒ๐—ด๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐˜๐—ผ ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—”๐—ฑ๐—บ๐—ถ๐—ปย โ€” ESC1, ESC3 & ESC4 in the Wild

Vendors love certificate templates.
Unfortunately, ๐—บ๐—ฎ๐—ป๐˜† ๐—ผ๐—ณ ๐˜๐—ต๐—ฒ๐—บ ๐˜‚๐—ป๐—ธ๐—ป๐—ผ๐˜„๐—ถ๐—ป๐—ด๐—น๐˜† love ESC1, ESC3, and ESC4 paths just as much.

In this must-read two-part series, @DebugPrivilege (on X) analyzed over a ๐—ฑ๐—ผ๐˜‡๐—ฒ๐—ป ๐˜ƒ๐—ฒ๐—ป๐—ฑ๐—ผ๐—ฟ ๐˜€๐—ฒ๐˜๐˜‚๐—ฝ๐˜€ (Citrix, Cisco, Microsoft Intune, Oracle, Kandji, Netskope, Veridium, Delinea, and others) โ€” all guiding you ๐˜๐—ผ ๐—ฐ๐—ฟ๐—ฒ๐—ฎ๐˜๐—ฒ ๐—ฑ๐—ฎ๐—ป๐—ด๐—ฒ๐—ฟ๐—ผ๐˜‚๐˜€ AD CS template configurations that open real attack paths in your environment.

๐—›๐—ถ๐—ด๐—ต๐—น๐—ถ๐—ด๐—ต๐˜๐˜€:
โš ๏ธ Templates duplicated from User, Computer, or Enrollment Agent
โš ๏ธ Supply in request enabled
โš ๏ธ Enroll or even Write permissions given to Authenticated Users
โš ๏ธ Some grant Full Control on templates (!)

๐Ÿ‘‰ ๐—ง๐—ต๐—ฒ ๐—ฟ๐—ฒ๐˜€๐˜‚๐—น๐˜?
Attackers (or low-privileged users) can request certificates ๐—ถ๐—บ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ผ๐—ป๐—ฎ๐˜๐—ถ๐—ป๐—ด ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐˜€, or modify safe templates to make them exploitable.

๐Ÿ“Œ ๐—ง๐—ต๐—ถ๐˜€ ๐—ถ๐˜€๐—ปโ€™๐˜ ๐˜ƒ๐—ฒ๐—ป๐—ฑ๐—ผ๐—ฟ ๐—ฏ๐—ฎ๐˜€๐—ต๐—ถ๐—ป๐—ด โ€” itโ€™s about real-world risk and what to audit in your environment.

๐Ÿ”—ย ๐—™๐˜‚๐—น๐—น ๐—ฟ๐—ฒ๐—ฎ๐—ฑ (๐—ฃ๐—ฎ๐—ฟ๐˜ ๐Ÿญ & ๐Ÿฎ):
https://medium.com/@Debugger/from-vendor-to-esc1-ed32281b7ea7
https://medium.com/@Debugger/from-vendor-to-esc3-esc4-3f7d2d9fbde7

๐Ÿ’ฌ Are you checking certificate templates from vendor integrations during your audits?

buy a course