Last updated at Mon, 05 Jun 2023 14:35:05 GMT
AD CS certificate templates
Our very own Spencer McIntyre has developed a new module that allows for creating, reading, updating and deleting certificate template objects from Active Directory.
These changes notably enables the exploitation of the technique identified as ESC4 whereby an attacker that has access to modify the certificate template object in LDAP can change it to set the
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the
mspki-certificate-name-flag field to enable exploitation of ESC1. Exploiting this scenario would be a three step process:
- Use this module update a certificate template that you have rights to modify
- Use the
icpr_certmodule to exploit ESC1 by specifying a privileged user in the
- Restore the certificate template that was replaced in step 1 with the backup that was automatically created
When the user updates the certificate template, the
nTSecurityDescriptor field is overwritten with one that provides all access to all authenticated users. This means it's critical that the template be restored when the operator is finished. A backup is created every time the template is read, but it's not restored automatically because the actions taken once the module has completed will likely involve another module such as
MsDtypSecurityDescriptor class has a new
.from_sddl_text method to create a new instance from Microsoft's (relatively) human-readable Security Descriptor Definition Language. This means the SID in the ACEs can be specified by copying the included template file and changing it to whatever the user would like. They could for example set it to the SID of the current user, or the domain admins group, etc.
New module content (2)
AD CS Certificate Template Management
Description: This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.
Sudoedit Extra Arguments Priv Esc
Description: This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.
Enhancements and features (1)
- #17989 from cgranleese-r7 - The
auxiliary/admin/kerberos/forge_ticketmodules have been updated to visually represent the decoded binary values of the Kerberos ticket fields
Bugs fixed (4)
- #18009 from cgranleese-r7 - This PR updates the
msfdbcommands to no longer enable the web services as default. The web service will now be enabled with the web service flag:
- #18010 from adfoster-r7 - Fix edgecase crash when running smb_login with Kerberos auth activated
- #18015 from distortedsignal - Deletes a dead link from the Using Metasploit page
- #18024 from zgoldman-r7 - This PR fixes an issue with credentials being normalized to lowercase inconsistently, causing collisions with uppercase data. Relevant credentials are now automatically normalized to lowercase on insert and lookup.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).