Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the ldap_esc_vulnerable_cert_finder module #19415

Merged
merged 1 commit into from
Aug 26, 2024

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Aug 23, 2024

This makes a few changes to the output of the auxiliary/gather/ldap_esc_vulnerable_cert_finder module to make things easier for reporting These are the main changes:

  • Templates vulnerable to ESC3_Template_2 are ignored unless there is at least 1 template identified as being vulnerable to ESC3_Template_1 or the template is also vulnerable to another misconfiguration.
  • Templates that are only enrollable by highly privileged accounts (domain admins, enterprise admins, etc) are filtered out by default. This can be changed by setting REPORT_PRIVENROLLABLE to true. If there is at least one group other than what is filtered out, then the template and all of its groups will be displayed.
  • More information is displayed regarding why the template is vulnerable. This is two fields included for all templates, Manager Approval and Required Signatures which will almost always be disabled and 0 respectively because they're filtered out at the LDAP query level before additional processing takes place. Noting these values though is helpful for reporting purposes to remind why the template is usable. Additional notes are populated for ESC specific flaws as well, e.g. "ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag)"
  • Output was tweaked so some results show up prefixed with [+] using Metasploit's #print_good which allows for easier grepping from logs to get the very high level info to identify attack paths.
  • Output was tweaked so some SIDs that are low-privileged are highlighted in green (users, guests and computers), all other SIDs show up normally with no colorization

Verification

  • Start msfconsole
  • use auxiliary/gather/ldap_esc_vulnerable_cert_finder
  • Run the module and see the new output

image

@bwatters-r7 bwatters-r7 self-assigned this Aug 23, 2024
@bwatters-r7
Copy link
Contributor

image

@bwatters-r7 bwatters-r7 merged commit f74b7cc into rapid7:master Aug 26, 2024
39 checks passed
@bwatters-r7 bwatters-r7 added the rn-enhancement release notes enhancement label Aug 26, 2024
@bwatters-r7
Copy link
Contributor

Release Notes

Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants