ESC10

Weak Certificate Mapping for Schannel Authentication

Description

"ESC10 vulnerabilities arise from insecure configurations in how Schannel (the Secure Channel security package in Windows, used for TLS/SSL authentication for services like LDAPS, HTTPS on IIS, etc.) maps client certificates to Active Directory accounts. An important aspect of ESC10 is that Schannel's certificate mapping logic can operate independently of the "strong certificate binding" settings (StrongCertificateBindingEnforcement) primarily designed for Kerberos PKINIT authentication on DCs. Schannel's behavior is largely governed by the CertificateMappingMethods registry key found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ on the server performing the Schannel authentication (e.g., a Domain Controller for LDAPS).

If this CertificateMappingMethods registry key is configured to allow UPN-based mapping (indicated by the bit flag 0x4 being set in the DWORD value), an attacker can potentially exploit this. The attack typically involves:

1. Gaining Control over a "Victim" Account's UPN: The attacker needs the ability to modify the userPrincipalName (UPN) attribute of an Active Directory account (the "victim" account). This is often achieved through GenericWrite or WriteProperty permissions on the victim account object. The victim account must also be able to enroll for a client authentication certificate.

2. UPN Manipulation: The attacker temporarily sets the victim account's UPN to match the sAMAccountName (or a desired UPN if known) of a target privileged account. This is particularly effective against machine accounts (which don't have UPNs by default, so their sAMAccountName like DC01$ can be targeted) or user accounts where the UPN is not set or differs from its sAMAccountName (reducing the chance of direct UPN collision). For instance, setting the victim's UPN to target_samaccountname@domain.com or just target_samaccountname.

3. Certificate Enrollment: The attacker, using the victim account's context, enrolls for a client authentication certificate. This certificate will now contain the manipulated UPN (e.g., DC01$@corp.local) in its SAN.

4. UPN Reversion: The attacker reverts the victim account's UPN to its original value to cover tracks or restore functionality.

5. Schannel Authentication & Impersonation: The attacker uses the obtained certificate to authenticate via Schannel to a service (e.g., LDAPS on a DC). If the DC's Schannel service is configured for UPN mapping (CertificateMappingMethods includes 0x4), it may map the certificate to the target account based on the UPN present in the certificate's SAN, thus leading to impersonation, even if the certificate's embedded SID (if present) belongs to the victim account.

While related to the broader theme of "weak certificate mapping" seen in attacks like Certifried (CVE-2022-26923), ESC10, as often demonstrated and exploitable with tools like Certipy, specifically leverages this UPN mapping loophole within Schannel authentication." — Oliver Lyak

Configuration

Basically, by configuring ESC9 we are also making the template vulnerable to ESC10, since we set the CertificateMappingMethods key to 0x4 . Same as before, we need to be able to edit the UPN, meaning a user must have GenericAll, GenericWrite or WriteProperty over the victim account.

NOTE: Certipy does not detect ESC10.

This attack hasn't been showcased on HTB yet, give it a bit of imagination and you could end up with a really cool medium machine!

Written by ruycr4ft