JJK96
commented
2 months ago I ran into the same bug, and decided to further test your claim that "WriteProperty" rights on the Certificate-Enrollment attribute is not exploitable. I followed this blog, and ran this script and concluded that there are no property sets that are controlled by this extended right. Therefore, I agree that this is probably not exploitable.
Hi,
I noticed a few bugs in the extended right checks used by ESC1.
First, the code would incorrectly report templates as vulnerable when any active directory right other than the ExtendedRight was set for the Certificate-Enrollment attribute. E.g. I encountered an environment where for some unknown reason the domain users group had "WriteProperty" rights on the Certificate-Enrollment attribute. While this looked exiting, as far as I understand this is not exploitable.
Secondly, the code currently does not detect All-Extended-Rights. This check will never success because all-extended-rights is an ACCESS_ALLOWED ace and the code currently doesn't add those to the "extended_rights" list.
I know there are still other edge cases because deny aces are ignored, but this should at least fix some small issues.
I tested this PR against a number of different setups and as far as I can tell there are no issues. I have a few tests in powershell that I could share if required.