7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
34.0%
Our very own Spencer McIntyre has developed a new module that allows for creating, reading, updating and deleting certificate template objects from Active Directory.
These changes notably enables the exploitation of the technique identified as ESC4 whereby an attacker that has access to modify the certificate template object in LDAP can change it to set the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
flag in the mspki-certificate-name-flag
field to enable exploitation of ESC1. Exploiting this scenario would be a three step process:
icpr_cert
module to exploit ESC1 by specifying a privileged user in the ALT_UPN
fieldWhen the user updates the certificate template, the nTSecurityDescriptor
field is overwritten with one that provides all access to all authenticated users. This means it’s critical that the template be restored when the operator is finished. A backup is created every time the template is read, but it’s not restored automatically because the actions taken once the module has completed will likely involve another module such as icpr_cert
.
The existing MsDtypSecurityDescriptor
class has a new .from_sddl_text
method to create a new instance from Microsoft’s (relatively) human-readable Security Descriptor Definition Language. This means the SID in the ACEs can be specified by copying the included template file and changing it to whatever the user would like. They could for example set it to the SID of the current user, or the domain admins group, etc.
Authors: Lee Christensen, Oliver Lyak, Spencer McIntyre, and Will Schroeder
Type: Auxiliary
Pull request: #17965 contributed by zeroSteiner
Description: This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.
Authors: Matthieu Barjole, Victor Cutillas, and h00die
Type: Exploit
Pull request: #17929 contributed by h00die
AttackerKB reference: CVE-2023-22809
Description: This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.
auxiliary/admin/kerberos/inspect_ticket
and auxiliary/admin/kerberos/forge_ticket
modules have been updated to visually represent the decoded binary values of the Kerberos ticket fieldsmsfdb
commands to no longer enable the web services as default. The web service will now be enabled with the web service flag: --msf-data-service <NAME>
.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
34.0%