Fix bug in extended right dacl check #177
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I ran into the same bug, and decided to further test your claim that "WriteProperty" rights on the Certificate-Enrollment attribute is not exploitable. I followed this blog, and ran this script and concluded that there are no property sets that are controlled by this extended right. Therefore, I agree that this is probably not exploitable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I noticed a few bugs in the extended right checks used by ESC1.
First, the code would incorrectly report templates as vulnerable when any active directory right other than the ExtendedRight was set for the Certificate-Enrollment attribute.
E.g. I encountered an environment where for some unknown reason the domain users group had "WriteProperty" rights on the Certificate-Enrollment attribute. While this looked exiting, as far as I understand this is not exploitable.
Secondly, the code currently does not detect All-Extended-Rights. This check will never success because all-extended-rights is an ACCESS_ALLOWED ace and the code currently doesn't add those to the "extended_rights" list.
I know there are still other edge cases because deny aces are ignored, but this should at least fix some small issues.
I tested this PR against a number of different setups and as far as I can tell there are no issues. I have a few tests in powershell that I could share if required.