search

TrimarcJake / adcs-snippets

Just a bunch of code snippets to identify and remediate common Active Directory Certificate Services issues.
MIT License
31 stars 2 forks source link

MsPKI-Certificate-Name-Flag #4

Open Kirchmeister opened 1 year ago

Kirchmeister commented 1 year ago

Hi. I might be wrong and I didn't test it yet, but you are filtering the above setting for a 1 in "Find Templates with Bad Configs". Wouldn't a 9 be equally critical? I mean for renewals, it seems to be locked by this option, but isn't it the same risk for new certs as with a 1?

TrimarcJake commented 1 year ago

This is interesting.

Is the attack path you envision:

  1. Attacker compromises users
  2. Attacker finds template vulnerable to ESC1
  3. Attacker requests template with the SAN of a high-value account
  4. Attacker finds template with msPKI-Certificate-Name-Flag set to 9
  5. Attacker requests a different template using the first template as "proof"
Kirchmeister commented 1 year ago

Thanks for replying. Not sure exactly how you mean point 5. If you are able to request a malicious cert if the flag is set to 1 and the remaining patterns for ESC1 are matching, then you even might be able to request a new cert under 9 in the same way. That whole risk might not exist when the template is set to 9 and is applying to existing legit certs which haven’t been created by an malicious actor, as they initially have been created “clean”. But from the GUI description it looked to me like 9 may allow the escalation as well. I don’t have our prod environment in front of me and I also don’t have an lab environment for some testing.