ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.43k stars 338 forks source link

Fix bug in extended right dacl check #177

Open nurfed1 opened 1 year ago

nurfed1 commented 1 year ago

Hi,

I noticed a few bugs in the extended right checks used by ESC1.

First, the code would incorrectly report templates as vulnerable when any active directory right other than the ExtendedRight was set for the Certificate-Enrollment attribute. E.g. I encountered an environment where for some unknown reason the domain users group had "WriteProperty" rights on the Certificate-Enrollment attribute. While this looked exiting, as far as I understand this is not exploitable.

Secondly, the code currently does not detect All-Extended-Rights. This check will never success because all-extended-rights is an ACCESS_ALLOWED ace and the code currently doesn't add those to the "extended_rights" list.

I know there are still other edge cases because deny aces are ignored, but this should at least fix some small issues.

I tested this PR against a number of different setups and as far as I can tell there are no issues. I have a few tests in powershell that I could share if required.

JJK96 commented 3 months ago

I ran into the same bug, and decided to further test your claim that "WriteProperty" rights on the Certificate-Enrollment attribute is not exploitable. I followed this blog, and ran this script and concluded that there are no property sets that are controlled by this extended right. Therefore, I agree that this is probably not exploitable.