ESC7

Dangerous Permissions on CA

Description

"ESC7 addresses vulnerabilities arising from an attacker obtaining highly privileged permissions directly on a CA object within AD CS or on the CA service itself. These permissions grant significant control over the CA's operations and security. The two primary permissions of concern are:

• Manage CA (CA Administrator/ManageCa): This permission grants extensive control over the CA, including the ability to modify its configuration (e.g., which certificate templates are published), assign CA roles (including Certificate Manager/Officer, if needed), start/stop the CA service, and manage CA security. This is the core permission that ESC7 often revolves around.

• Manage Certificates (Certificate Manager/Officer): This permission allows a user to approve or deny pending certificate requests and to revoke issued certificates.

While Manage Certificates alone might have limited direct paths to privilege escalation without a pre-existing pending request for a privileged certificate, obtaining Manage CA rights is extremely dangerous. An attacker with Manage CA can often grant themselves other necessary CA roles or directly manipulate the CA configuration to facilitate the issuance of unauthorized certificates, leading to full domain compromise. For instance, having Manage CA might enable an attacker to also perform actions typically associated with a Certificate Officer, such as approving a request, especially if they can assign that role to themselves. The exploitation method detailed below demonstrates how Manage CA rights are leveraged to enable a specific template and then ensure a certificate request is processed, effectively leading to arbitrary certificate issuance using the built-in SubCA template." — Oliver Lyak

Configuration

Really easy to set up. Open "Certification Authority" and grant (in this case, gMSA_ADCS_prod$ ) the ManageCA privilege.

That's all it takes to make it vulnerable to ESC7.

Written by ruycr4ft