ESC2

Description

ESC2 works on the same core principal as ESC1, where a low privileged user or group has the ability to supply a subjectAltName (SAN) for any other user or machine in Active Directory. in ESC1 attacks the flags for the Extended Key Usage (EKU) need to contain "Client Authentication" to be valid. ESC2 by comparison is where the EKU is set to "Any Purpose" or is void of any usage specifications

The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites"

Requirements for attack path

  • ENROLLEE_SUPPLIES_SUBJECT flag present in the certificate template

  • Enrolment rights granted to a user or group for which we have access to

  • EKU is set to "Any Purpose" or nothing at all

  • Manager approval not enabled

  • Authorized signature are not required

If ENROLLEE_SUPPLIES_SUBJECT is NOT present and the following conditions are met

  • Enrolment rights granted to a user or group for which we have access to

  • EKU is set to "Any Purpose" or nothing at all

  • Manager approval not enabled

  • Authorized signature are not required

Then the template can be used as a certificate request agent in which this attack becomes ESC3. If this is the case, follow the guidance below to abuse ESC3.

ESC3

Windows

Enumeration

.\Certify.exe find /vulnerable /enabled

Performing the attack

Depending on the certificate template configuration, we have two options as stated at the top of this document. If the intended attack path for ESC2 is viable, simply follow the attack steps for ESC1.

ESC1

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

ESC3

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout

Performing the attack

Depending on the certificate template configuration, we have two options as stated at the top of this document. If the intended attack path for ESC2 is viable, simply follow the attack steps for ESC1.

ESC1

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

ESC3

Mitigations

  • Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions

  • Remove the ENROLLEE_SUPPLIES_SUBJECT flag from the certificate

  • Require manager aprovals on the certificate

  • Require authorized signatures

  • Remove weak enrollement permissions from the template

Last updated