Merge pull request #20471 from zeroSteiner/feat/mod/ldap/esc-finder-updates

jheysel-r7 · web-flow · commit 0830de84040b · 2025-08-15T16:52:29.000-07:00
Update the ldap_esc_vulnerable_cert_finder to check enrollment permissions
diff --git a/documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md b/documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
@@ -240,15 +240,15 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {
 
 ## Options
 
-### REPORT_NONENROLLABLE
-If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
-If set to `False` then skip over these certificate templates and only report on certificate templates
-that are both vulnerable and enrollable.
+### REPORT
+What templates to report (applies filtering to results).
 
-### REPORT_PRIVENROLLABLE
-If set to `True` then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups.
-If set to `False` then skip over these certificate templates and only report on certificate templates that are
-enrollable by at least one additional user or group.
+* **all** - Report all certificate templates.
+* **published** - Report certificate templates that are published by at least one CA server.
+* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
+* **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
+* **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
+* **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
 
 ## Scenarios
 
diff --git a/lib/msf/core/exploit/remote/ldap/active_directory.rb b/lib/msf/core/exploit/remote/ldap/active_directory.rb
@@ -294,6 +294,8 @@ def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: ni
           case ace.body.sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
             matcher.apply_ace!(ace)
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
+            matcher.apply_ace!(ace)
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
             matcher.apply_ace!(ace) if self_sid == test_sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
diff --git a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
