Skip to content

Commit

Permalink
Merge branch 'pr-226'
Browse files Browse the repository at this point in the history
  • Loading branch information
@atomic111
atomic111 committed Nov 9, 2024
2 parents 2a55a53 + f94c146 commit 8640cf2
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 24 deletions.
70 changes: 46 additions & 24 deletions certipy/commands/find.py
100755 → 100644
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

from asn1crypto import x509
from certipy.lib.constants import (
ACTIVE_DIRECTORY_RIGHTS,
CERTIFICATE_RIGHTS,
CERTIFICATION_AUTHORITY_RIGHTS,
EXTENDED_RIGHTS_MAP,
Expand Down Expand Up @@ -858,12 +859,13 @@ def get_template_permissions(self, template: LDAPEntry):
continue

if (
EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"]
( rights['rights'] & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT ) and
( EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"] )
):
enrollment_rights.append(self.connection.lookup_sid(sid).get("name"))
if (
EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"]
in rights["extended_rights"]
( rights['rights'] & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT ) and
( EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"] in rights["extended_rights"] )
):
all_extended_rights.append(self.connection.lookup_sid(sid).get("name"))

Expand All @@ -886,26 +888,45 @@ def get_template_permissions(self, template: LDAPEntry):
(CERTIFICATE_RIGHTS.GENERIC_ALL, [], "Full Control Principals"),
(CERTIFICATE_RIGHTS.WRITE_OWNER, [], "Write Owner Principals"),
(CERTIFICATE_RIGHTS.WRITE_DACL, [], "Write Dacl Principals"),
(
CERTIFICATE_RIGHTS.WRITE_PROPERTY,
[],
"Write Property Principals",
),
]
write_permissions = {}

for sid, rights in security.aces.items():
if self.hide_admins and is_admin_sid(sid):
continue

extended_rights = rights["extended_rights"]
rights = rights["rights"]
sid = self.connection.lookup_sid(sid).get("name")

for (right, principal_list, _) in rights_mapping:
if right in rights:
principal_list.append(sid)

for _, rights, name in rights_mapping:
if len(rights) > 0:
object_control_permissions[name] = rights
if rights & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT:
principal_list.append(sid)

if(
( CERTIFICATE_RIGHTS.WRITE_PROPERTY in rights ) and
( rights & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT )
):
for extended_right in extended_rights:
resolved_extended_right = EXTENDED_RIGHTS_MAP.get(extended_right, extended_right)
principal_list = write_permissions.get(resolved_extended_right, [])
if sid not in principal_list:
principal_list.append(sid)
write_permissions[resolved_extended_right] = principal_list

for extended_right, principal_list in write_permissions.items():
rights_mapping.append(
(
CERTIFICATE_RIGHTS.WRITE_PROPERTY,
principal_list,
f"Write Property {extended_right}"
)
)

for _, principal_list, name in rights_mapping:
if len(principal_list) > 0:
object_control_permissions[name] = principal_list

if len(object_control_permissions) > 0:
permissions["Object Control Permissions"] = object_control_permissions
Expand Down Expand Up @@ -1014,14 +1035,16 @@ def template_has_vulnerable_acl(self, template: LDAPEntry):
continue

ad_rights = rights["rights"]
if any(
right in ad_rights
for right in [
CERTIFICATE_RIGHTS.GENERIC_ALL,
CERTIFICATE_RIGHTS.WRITE_OWNER,
CERTIFICATE_RIGHTS.WRITE_DACL,
CERTIFICATE_RIGHTS.WRITE_PROPERTY,
]
ad_extended_rights = rights["extended_rights"]
for right in [CERTIFICATE_RIGHTS.GENERIC_ALL, CERTIFICATE_RIGHTS.WRITE_OWNER, CERTIFICATE_RIGHTS.WRITE_DACL, CERTIFICATE_RIGHTS.GENERIC_WRITE]:
if right in ad_rights:
vulnerable_acl_sids.append(sid)
has_vulnerable_acl = True

## WRITE_PROPERTY is only interesting if you can write the entire object
if (
CERTIFICATE_RIGHTS.WRITE_PROPERTY in ad_rights and
( '00000000-0000-0000-0000-000000000000' in ad_extended_rights and ad_rights & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT )
):
vulnerable_acl_sids.append(sid)
has_vulnerable_acl = True
Expand All @@ -1039,9 +1062,8 @@ def can_user_enroll_in_template(self, template: LDAPEntry):
continue

if (
EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"]
in rights["extended_rights"]
or EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"]
( EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"] in rights["extended_rights"] and rights['rights'] & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT )
or ( EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"] and rights['rights'] & ACTIVE_DIRECTORY_RIGHTS.EXTENDED_RIGHT )
or CERTIFICATE_RIGHTS.GENERIC_ALL in rights["rights"]
):
enrollable_sids.append(sid)
Expand Down
1 change: 1 addition & 0 deletions certipy/lib/constants.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,7 @@ class CERTIFICATE_RIGHTS(IntFlag):
GENERIC_ALL = 983551
WRITE_OWNER = 524288
WRITE_DACL = 262144
GENERIC_WRITE = 131112
WRITE_PROPERTY = 32

def to_list(self):
Expand Down
1 change: 1 addition & 0 deletions certipy/lib/security.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ def __init__(
self.aces[sid]["rights"] |= self.RIGHTS_TYPE(ace["Ace"]["Mask"]["Mask"])

if ace["AceType"] == ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE:
self.aces[sid]["rights"] |= self.RIGHTS_TYPE(ace["Ace"]["Mask"]["Mask"])
if ace["Ace"]["Flags"] == 2:
uuid = bin_to_string(ace["Ace"]["InheritedObjectType"]).lower()
elif ace["Ace"]["Flags"] == 1:
Expand Down

0 comments on commit 8640cf2

Please sign in to comment.