This change restricts access to ADSI object so they're only writting to the ACL.
This fixes an issue writting an ACL when you exclusively have WriteDacl permission on a object.
I have run up against this issue in a pentest where it meant I wasn't able to get to DA, but didn't know what was going on. I also came up against it in a HtB machine, so I had time to debug the tool and see what was going on.
This was an issue because if you don't set the security mask to Dacl, it will attempt to write the whole object back to LDAP instead of just the ACE. If you only have WriteDacl on the object, this will obviously fail.
This change has been tested against a HtB machine, and successfully wrote DCSync privs where the current master failed.
This change restricts access to ADSI object so they're only writting to the ACL. This fixes an issue writting an ACL when you exclusively have
WriteDaclpermission on a object.I have run up against this issue in a pentest where it meant I wasn't able to get to DA, but didn't know what was going on. I also came up against it in a HtB machine, so I had time to debug the tool and see what was going on.
This was an issue because if you don't set the security mask to
Dacl, it will attempt to write the whole object back to LDAP instead of just the ACE. If you only haveWriteDaclon the object, this will obviously fail.This change has been tested against a HtB machine, and successfully wrote DCSync privs where the current master failed.