Certipy icon indicating copy to clipboard operation
Certipy copied to clipboard

Published 20 hours ago verified publisher icon ly4k

Template Enrollment Rights Not Always Accurate

Open jas594 opened this issue 2 years ago • 4 comments

Ran into a false-positive where a template came back as vulnerable to ESC1 via Domain Computer enrollment. Attempts to request a template with a machine account were unsuccessful. After reviewing the enrollment rights on the CA itself, Domain Computers was listed under the "Security" tab, but the "Enroll" checkbox was not checked. It seems that the security descriptor extended rights weren't coming back accurately?

template

jas594 avatar Aug 26 '22 16:08 jas594

Hello @jas594 It might be that you can enroll in a template, but not be allowed to enroll in the CA. Multiple CAs can have the same template enabled. If I'm understanding your issue correctly, you are allowed to enroll in the template but not in the CA. Did Certipy say that you could enroll in the CA?

ly4k avatar Sep 01 '22 05:09 ly4k

Confirmed that is the issue! So Certipy said the template is vulnerable to ESC1 (which is true), but Certipy doesn't check that enrollment rights are the same on the CA itself. Does that sound right? If so, are there plans to have it properly check permissions on both sides?

jas594 avatar Sep 08 '22 15:09 jas594

Hello @jas594

This is correct. Perhaps I could make the check on both sides. Will look into it. Thanks for reporting :)

ly4k avatar Sep 09 '22 12:09 ly4k

I probably ran into the same issue. Certipy found two vulnerable templates (via Domain Computer enrollment) but I was not able to exploit them with ESC1.

[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Unfortunately I can not check the server side. But I made a corss check with Certify.exe. It reported

No Vulnerable Certificates Templates found!

When run without /vulnerable, it shows that the templates in question do not have Domain Computers in the enrollment section. Certipy did show the Domain Computers there.

ikarus23 avatar Oct 05 '22 06:10 ikarus23

Confirmed that is the issue! So Certipy said the template is vulnerable to ESC1 (which is true), but Certipy doesn't check that enrollment rights are the same on the CA itself. Does that sound right? If so, are there plans to have it properly check permissions on both sides?

Can I just clarify @jas594 that in the latest Certipy which prints out the CA info plus all the templates info that for a vulnerable template I then need to check the CA 'Enrollment Rights' section to see if it also allows regular users enrollment rights?

I think I was seeing things were marked vulnerable but maybe they aren't definitely. Not sure if the CA info was presented by Certipy when you raised this issue which made it impossible to cross reference I guess... Thanks

Cyb3rC3lt avatar Jan 19 '23 19:01 Cyb3rC3lt

That is correct @Cyb3rC3lt. I'm pretty sure the CA info was presented when I raised the issue, but was still thrown off by templates being marked as vulnerable.

jas594 avatar Jan 19 '23 19:01 jas594

Thank you @jas594 that's really useful. Maybe it's in the Certipy ReadMe somewhere or if I fully understood the Specterops doc I'd have realised sooner but at least now I will check those first before anything else!!

If none of the CA's allow Authenticated/Domain users enrollment abilities I think I'd display some message in bold saying "No vulnerable CA's - templates less vulnerable" or something but maybe I'm missing something. Thanks again

Cyb3rC3lt avatar Jan 19 '23 20:01 Cyb3rC3lt