search
GitHubTwitterExegolTools

Certificate authority

hashtag
Theory

hashtag
Certificate Authority misconfiguration

In their research papersarrow-up-right, Will Schroederarrow-up-right and Lee Christensenarrow-up-right found a domain escalation vector based on a dangerous CA setting (i.e. the EDITF_ATTRIBUTESUBJECTALTNAME2 flag). The escalation vector was dubbed ESC6arrow-up-right.

When the flag is set on the CA, templates configured for authentication (i.e. EKUs like Client Authentication, PKINIT Client Authentication, Smart Card Logon, Any Purpose (OID 2.5.29.37.0), or no EKU (SubCA)) and allowing low-priv users to enroll can be abused to authenticate as any other user/machine/admin.

circle-check

The default User template checks all the template requirements stated above.

If the CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (admins tend to enable that flag without knowing the security implications), and the User template is enabled (which is very often), any user can escalate to domain admin.

triangle-exclamation

May 2022 security updatesarrow-up-right broke the ESC6 attack.

hashtag
YubiHSM Key Storage Provider

As described by Hans-Joachim Knoblocharrow-up-right in his article ESC12 – Shell access to ADCS CA with YubiHSMarrow-up-right, administrators may configure the Certificate Authority to store its private key on an external device like "Yubico YubiHSM2", over storing it in the software storage.

This is a USB device connected to the CA server via a USB port, or a USB device server in case of the CA server is a virtual machine. "In order to generate and use keys in the YubiHSM, the Key Storage Provider must use an authentication key (sometimes dubbed "password"). This key/password is stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM\AuthKeysetPassword in cleartext."

hashtag
Practice

hashtag
EDITF_ATTRIBUTESUBJECTALTNAME2 (ESC6)

From UNIX-like systems, Certipyarrow-up-right (Python) can be used to enumerate info about the CAs, including the "User Specified SAN" flag state which is an alias to the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.

certipy find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -stdout | grep "User Specified SAN"
circle-info

By default, Certipy uses LDAPS, which is not always supported by the domain controllers. The -scheme flag can be used to set whether to use LDAP or LDAPS.

Once the right template is found (i.e. the default User template) (how to enumerate), a request shall be made to obtain a certificate, with another high-priv user set as SAN (subjectAltName).

#To specify a user account in the SAN
certipy req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -ca 'ca_name' -template 'vulnerable template' -upn 'domain admin'

#To specify a computer account in the SAN
certipy req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -ca 'ca_name' -template 'vulnerable template' -dns 'dc.domain.local'

The certificate can then be used with Pass-the-Certificate to obtain a TGT and authenticate.

hashtag
Shell access to ADCS CA with YubiHSM (ESC12)

hashtag
Redirect the USB device server

At the time of writing, no solution exists to perform this attack from a UNIX-like machine.

hashtag
Forge a certificate

If the CA's private key is stored on a physical USB device such as "YubiHSM2", and a shell access is obtained on the PKI server (even with low privileges), it is possible to recover the key.

At the time of writing, no solution exists to perform this attack from a UNIX-like machine.

hashtag
Resources

LogoCertified Pre-Owned - SpecterOpsSpecterOpschevron-right
LogoHidden Dangers: Certificate Subject Alternative Names (SANs)Keyfactorchevron-right
LogoCertipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!Mediumchevron-right
LogoESC12 – Shell access to ADCS CA with YubiHSMBemerkungen über Public Key Infrastrukturenchevron-right
PreviousCertificate templatesNextAccess controls

Last updated

Was this helpful?