ESC15: EKUwu
AD CS continues to be a popular target for penetration testers and security practitioners. The latest escalation technique (hence the the ESC in ESC15) was discovered by Justin Bollinger with details being released just last week. This latest configuration flaw has common issuance requirements to other ESC flaws such as requiring no authorized signatures or manager approval. Additionally, templates must be schema version 1 which enables an attacker to craft a signing request with a custom set of EKU OIDs which will be present in the issued certificate. By overriding the OIDs, the template can be used in a few ways with the most useful being as a certificate enrollment agent. With a valid enrollment agent certificate, a user can issue certificates for other users which, when combined with the builtin “User” certificate, can enable Kerberos authentication to a wide variety of services.
This week’s release of Metasploit has added support to our existing AD CS related modules for identifying and exploiting ESC15.
The auxiliary/admin/ldap/ad_cs_cert_template module can be used along with the new esc15_template to create a vulnerable certificate or (by leveraging ESC4) update an existing certificate to be vulnerable to ESC15.
The auxiliary/gather/ldap_esc_vulnerable_cert_finder module has been updated to identify vulnerable certificate templates.
The auxiliary/admin/dcerpc/icpr_cer module has been updated with the new ADD_CERT_APP_POLICY option to enable users to add EKUs by OID, thus enabling exploitation of ESC15. ..
Support the originator by clicking the read the rest link below.
