Skip to content

Update the ldap_esc_vulnerable_cert_finder to check enrollment permissions #20471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 15, 2025
Merged

Update the ldap_esc_vulnerable_cert_finder to check enrollment permissions #20471

merged 8 commits into from
Aug 15, 2025

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Aug 15, 2025
edited by jheysel-r7
Loading

This is a draft but the Tl;Dr is that the ldap_esc_vulnerable_cert_finder will now check for enrollment permissions on both the template and CA server. This means users can filter their results to only show templates that are vulnerable and that they have the necessary permissions to enroll in. See the REPORT datastore option's new documentation.

The new permissions allow us to detect when a particular user can enroll in a certificate and issue it, enabling us to call this out to the operator since it's actionable. Previously, operators would see templates that have a misconfiguration and are published but that they may or may not have permissions to issue. This is still the default behavior due to the default setting of REPORT=vulnerable-and-published.

The REPORT setting is divided up into levels of increasingly strict filtering which can be used based on what information the operator wants:

  • all -- show all templates
  • vulnerable -- show templates that have at least 1 misconfiguration technique flagged, whether or not you can issue it or if it's even published
  • vulnerable-and-published - the above but the template is at least published by 1 CA that presumably someone can issue from, maybe not you but someone
  • vulnerable-and-enrollable -- the above but meeting the requirements for you to exploit it which is generally that you can enroll in it with the exception of ESC9, ESC10 and ESC16 where it's if the user you can write to can enroll in it

Verification

  • Run the module against a server with configured ESC vulnerabilities
  • Run with REPORT=all and see all certificate templates, regardless of whether or not they have a misconfiguration or are even published.
  • Run with REPORT=vulnerable-and-enrollable and only see certificate templates with vulnerabilities you can exploit. Templates that are "vulnerable" but that you don't have the permissions to should now be hidden.
  • Run with REPORT=vulnerable-and-published see pretty much the same results as the old behavior. The noteable changes are that we check for ESC16 and flag it as potentially vulnerable, and the permissions for the template object are displayed

@zeroSteiner zeroSteiner marked this pull request as ready for review August 15, 2025 19:34
@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Aug 15, 2025
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Aug 15, 2025
edited
Loading

Looks great, testing was as expected 🎉

Testing

 Run with REPORT=all and see all certificate templates, regardless of whether or not they have a misconfiguration or are even published.
 The following are printed despite having no vulnerabilities associated with them:

msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run REPORT=all
[*] Running module against 172.16.199.200
[*] Discovering base DN automatically
[+] Template: CrossCA
[*]   Distinguished Name: CN=CrossCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 1
[*]   Vulnerable to: (none)
[*]   Permissions: READ
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[!]    Issuing CAs: none (not published as an enrollable certificate)
[+] Template: CAExchange
[*]   Distinguished Name: CN=CAExchange,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[*]   Vulnerable to: (none)
[*]   Permissions: READ
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[!]    Issuing CAs: none (not published as an enrollable certificate)
...
<redacted>

Now the certificates that are not vulnerable and cannot be enrolled into by the user authenticating are no longer displayed:

msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run REPORT=vulnerable-and-enrollable ldapusername=user2
[*] Running module against 172.16.199.200
[*] Discovering base DN automatically
[!] Couldn't find any vulnerable ESC13 templates!
[+] Template: Copy of User
[*]   Distinguished Name: CN=Copy of User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC1, ESC2
[*]   Permissions: READ, ENROLL
[*]   Notes:
[*]     * ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs permit authentication
[*]     * ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-513 (Domain Users)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (Misconfigured Certificate Template Finder)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[+] Template: ESC16-Template
[*]   Distinguished Name: CN=ESC16-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
[!]   Potentially vulnerable to: ESC10 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must be set to 0 or CertificateMappingMethods must be set to 4)
[!]   Potentially vulnerable to: ESC16 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must be set to either 0 or 1. If StrongCertificateBindingEnforcement is set to 2, ESC16 is exploitable if the active policy EditFlags has EDITF_ATTRIBUTESUBJECTALTNAME2 set.
[*]   Permissions: FULL CONTROL
[*]   Notes:
[*]     * ESC4: The account: user2 has edit permissions over the template ESC16-Template.
[*]     * ESC9: The account: user2 has edit permission over the account: user3 which has enrollment rights for this template.
[*]     * ESC10: The account: user2 has edit permission over the account: user3 which has enrollment rights for this template.
[*]     * ESC16: Template is vulnerable due to the active policy EditFlags having: EDITF_ATTRIBUTESUBJECTALTNAME2 set (which is essentially ESC6) combined with the CA's disabled policy extension list including: 1.3.6.1.4.1.311.25.2.
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (Misconfigured Certificate Template Finder)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1604 (user3)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1609 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
...
<redacted>

We can now see that ESC16 is flagged as being potentially vulnerable:

msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run REPORT=vulnerable-and-published ldapusername=user2
[*] Running module against 172.16.199.200
[*] Discovering base DN automatically
[!] Couldn't find any vulnerable ESC13 templates!
[+] Template: ESC16-Template
[*]   Distinguished Name: CN=ESC16-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC4
[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
[!]   Potentially vulnerable to: ESC10 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must be set to 0 or CertificateMappingMethods must be set to 4)
[!]   Potentially vulnerable to: ESC16 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must be set to either 0 or 1. If StrongCertificateBindingEnforcement is set to 2, ESC16 is exploitable if the active policy EditFlags has EDITF_ATTRIBUTESUBJECTALTNAME2 set.
[*]   Permissions: FULL CONTROL
[*]   Notes:
[*]     * ESC4: The account: user2 has edit permissions over the template ESC16-Template.
[*]     * ESC9: The account: user2 has edit permission over the account: user3 which has enrollment rights for this template.
[*]     * ESC10: The account: user2 has edit permission over the account: user3 which has enrollment rights for this template.
[*]     * ESC16: Template is vulnerable due to the active policy EditFlags having: EDITF_ATTRIBUTESUBJECTALTNAME2 set (which is essentially ESC6) combined with the CA's disabled policy extension list including: 1.3.6.1.4.1.311.25.2.
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (Misconfigured Certificate Template Finder)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1604 (user3)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-1609 (user2)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
...
<redacted>

@jheysel-r7 jheysel-r7 merged commit 0830de8 into rapid7:master Aug 15, 2025
51 checks passed
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Aug 15, 2025
edited by bwatters-r7
Loading

Release Notes

Adds an enhancement to the ldap_esc_vulnerable_cert_finder module. The module will now check for enrollment permissions on both the template and CA server, meaning users can filter their results to only show templates that are vulnerable and that they have the necessary permissions to enroll in; this can be done using the new REPORT datastore option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees
No one assigned
Labels
enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zeroSteiner @jheysel-r7