Last updated at Thu, 25 Jan 2024 00:39:08 GMT
AD CS certificate templates
Our very own Spencer McIntyre has developed a new module that allows for creating, reading, updating and deleting certificate template objects from Active Directory.
ESC4 Exploitation
These changes notably enables the exploitation of the technique identified as ESC4 whereby an attacker that has access to modify the certificate template object in LDAP can change it to set the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the mspki-certificate-name-flag field to enable exploitation of ESC1. Exploiting this scenario would be a three step process:
- Use this module update a certificate template that you have rights to modify
- Use the
icpr_certmodule to exploit ESC1 by specifying a privileged user in theALT_UPNfield - Restore the certificate template that was replaced in step 1 with the backup that was automatically created
SDDL
When the user updates the certificate template, the nTSecurityDescriptor field is overwritten with one that provides all access to all authenticated users. This means it's critical that the template be restored when the operator is finished. A backup is created every time the template is read, but it's not restored automatically because the actions taken once the module has completed will likely involve another module such as icpr_cert.
The existing MsDtypSecurityDescriptor class has a new .from_sddl_text method to create a new instance from Microsoft's (relatively) human-readable Security Descriptor Definition Language. This means the SID in the ACEs can be specified by copying the included template file and changing it to whatever the user would like. They could for example set it to the SID of the current user, or the domain admins group, etc.
New module content (2)
AD CS Certificate Template Management
Authors: Lee Christensen, Oliver Lyak, Spencer McIntyre, and Will Schroeder
Type: Auxiliary
Pull request: #17965 contributed by zeroSteiner
Description: This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.
Sudoedit Extra Arguments Priv Esc
Authors: Matthieu Barjole, Victor Cutillas, and h00die
Type: Exploit
Pull request: #17929 contributed by h00die
AttackerKB reference: CVE-2023-22809
Description: This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.
Enhancements and features (1)
- #17989 from cgranleese-r7 - The
auxiliary/admin/kerberos/inspect_ticketandauxiliary/admin/kerberos/forge_ticketmodules have been updated to visually represent the decoded binary values of the Kerberos ticket fields
Bugs fixed (4)
- #18009 from cgranleese-r7 - This PR updates the
msfdbcommands to no longer enable the web services as default. The web service will now be enabled with the web service flag:--msf-data-service <NAME>. - #18010 from adfoster-r7 - Fix edgecase crash when running smb_login with Kerberos auth activated
- #18015 from distortedsignal - Deletes a dead link from the Using Metasploit page
- #18024 from zgoldman-r7 - This PR fixes an issue with credentials being normalized to lowercase inconsistently, causing collisions with uppercase data. Relevant credentials are now automatically normalized to lowercase on insert and lookup.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
