Skip to content

Update the ldap_esc_vulnerable_cert_finder to check enrollment permissions #20471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 15, 2025
Merged

Update the ldap_esc_vulnerable_cert_finder to check enrollment permissions #20471

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
13b3af3
Apply the ACEs for Authenticated Users
zeroSteiner Aug 13, 2025
fa33c84
Evaluate permissions for templates and CAs
zeroSteiner Aug 13, 2025
2338ad7
Implement the desired filtering
zeroSteiner Aug 14, 2025
c8f72a8
Refactor to remove redundant code
zeroSteiner Aug 14, 2025
f3719b8
Document the new report filtering option
zeroSteiner Aug 14, 2025
25c72d4
Handle some edge cases in report filtering
zeroSteiner Aug 15, 2025
1c41c73
Fix a missing ESC16 check
zeroSteiner Aug 15, 2025
170fbcb
Add two more report filters
zeroSteiner Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,15 +240,15 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {

## Options

### REPORT_NONENROLLABLE
If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
If set to `False` then skip over these certificate templates and only report on certificate templates
that are both vulnerable and enrollable.
### REPORT
What templates to report (applies filtering to results).

### REPORT_PRIVENROLLABLE
If set to `True` then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups.
If set to `False` then skip over these certificate templates and only report on certificate templates that are
enrollable by at least one additional user or group.
* **all** - Report all certificate templates.
* **published** - Report certificate templates that are published by at least one CA server.
* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
* **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
* **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
* **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.

## Scenarios

Expand Down
2 changes: 2 additions & 0 deletions lib/msf/core/exploit/remote/ldap/active_directory.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,8 @@ def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: ni
case ace.body.sid
when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
matcher.apply_ace!(ace)
when Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
matcher.apply_ace!(ace)
when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
matcher.apply_ace!(ace) if self_sid == test_sid
when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
Expand Down
Loading
Loading