Land #19879, Add MsDtypSecurityDescriptor to_sddl_text

Land #19879, Add MsDtypSecurityDescriptor to_sddl_text

Author: dledda-r7

lib/msf/core/exploit/remote/ldap/queries.rb

@@ -284,6 +284,14 @@ def normalize_entry(entry, attribute_properties)
             end
             normalized_attribute[0] = time_string
           when 66 # String (Nt Security Descriptor)
+            if attribute_property[:attributesyntax] == '2.5.5.15'
+              begin
+                sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[attribute_name][0])
+                normalized_attribute[0] = sd.to_sddl_text(domain_sid: nil)
+              rescue StandardError => e
+                elog('failed to parse a binary security descriptor to SDDL', error: e)
+              end
+            end
           when 127 # Object
           else
             print_error("Unknown oMSyntax entry: #{attribute_property[:omsyntax]}")

lib/rex/proto/ms_dtyp.rb

@@ -42,7 +42,7 @@ module WellKnownSids
     SECURITY_BUILTIN_DOMAIN_SID = "#{SECURITY_NT_AUTHORITY}-32"
     SECURITY_WRITE_RESTRICTED_CODE_SID = "#{SECURITY_NT_AUTHORITY}-33"
 
-    SECURITY_USERMODEDRIVERHOST_ID_BASE_SID = "#{SECURITY_NT_AUTHORITY}-0"
+    SECURITY_USERMODEDRIVERHOST_ID_BASE_SID = "S-1-5-84-0-0-0-0-0"
     SECURITY_ALL_APP_PACKAGES = 'S-1-15-2-1'
     SECURITY_MANDATORY_SYSTEM_SID = 'S-1-16-16384'
     SECURITY_AUTHENTICATION_SERVICE_ASSERTED_SID = "S-1-18-2"

lib/rex/proto/secauthz/well_known_sids.rb

@@ -339,11 +339,21 @@ def action_read
     obj, stored = get_certificate_template
 
     print_status('Certificate Template:')
-    print_status("  distinguishedName: #{obj['distinguishedname'].first}")
-    print_status("  displayName:       #{obj['displayname'].first}") if obj['displayname'].present?
+    print_status("  distinguishedName:    #{obj['distinguishedname'].first}")
+    print_status("  displayName:          #{obj['displayname'].first}") if obj['displayname'].present?
     if obj['objectguid'].first.present?
       object_guid = Rex::Proto::MsDtyp::MsDtypGuid.read(obj['objectguid'].first)
-      print_status("  objectGUID:        #{object_guid}")
+      print_status("  objectGUID:           #{object_guid}")
+    end
+    if obj['ntsecuritydescriptor'].first.present?
+      begin
+        sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(obj['ntsecuritydescriptor'].first)
+        sddl_text = sd.to_sddl_text(domain_sid: get_domain_sid)
+      rescue StandardError => e
+        elog('failed to parse a binary security descriptor to SDDL', error: e)
+      else
+        print_status("  nTSecurityDescriptor: #{sddl_text}")
+      end
     end
 
     pki_flag = obj['flags']&.first

modules/auxiliary/admin/ldap/ad_cs_cert_template.rb

@@ -167,12 +167,16 @@ def run
   def action_read(obj)
     security_descriptor = obj[ATTRIBUTE]
     if security_descriptor.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.')
+      print_status("The #{ATTRIBUTE} field is empty.")
       return
     end
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("#{ATTRIBUTE}: #{sddl}")
+    end
+
     if security_descriptor.dacl.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity DACL field is empty.')
+      print_status("The #{ATTRIBUTE} DACL field is empty.")
       return
     end
 
@@ -211,22 +215,22 @@ def action_remove(obj)
     security_descriptor.dacl.acl_size.clear
 
     unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
     end
-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
   end
 
   def action_flush(obj)
     unless obj[ATTRIBUTE]
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.')
+      print_status("The #{ATTRIBUTE} field is empty. No changes are necessary.")
       return
     end
 
     unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE)
-      fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to deleted the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully deleted the #{ATTRIBUTE} attribute.")
   end
 
   def action_write(obj)
@@ -239,26 +243,37 @@ def action_write(obj)
   end
 
   def _action_write_create(obj, delegate_from)
+    vprint_status("Creating new #{ATTRIBUTE}...")
     security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.new
     security_descriptor.owner_sid = Rex::Proto::MsDtyp::MsDtypSid.new('S-1-5-32-544')
     security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new
     security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS
     security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
+    end
+
     unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to create the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully created the #{ATTRIBUTE} attribute.")
     print_status('Added account:')
     print_status("  #{delegate_from['ObjectSid']} (#{delegate_from['sAMAccountName']})")
   end
 
   def _action_write_update(obj, delegate_from)
+    vprint_status("Updating existing #{ATTRIBUTE}...")
     security_descriptor = obj[ATTRIBUTE]
+
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("Old #{ATTRIBUTE}: #{sddl}")
+    end
+
     if security_descriptor.dacl
       if security_descriptor.dacl.aces.any? { |ace| ace.body[:sid].to_s == delegate_from['ObjectSid'].to_s }
-        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already enabled.")
+        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already configured.")
       end
       # clear these fields so they'll be calculated automatically after the update
       security_descriptor.dacl.acl_count.clear
@@ -271,10 +286,20 @@ def _action_write_update(obj, delegate_from)
 
     security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
+    end
+
     unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
+  end
+
+  def sd_to_sddl(sd)
+    sd.to_sddl_text
+  rescue StandardError => e
+    elog('failed to parse a binary security descriptor to SDDL', error: e)
   end
 end

modules/auxiliary/admin/ldap/rbcd.rb

@@ -0,0 +1,99 @@
+RSpec.describe Rex::Proto::MsDtyp::MsDtypAccessMask do
+  subject(:instance) { described_class.from_sddl_text(sddl_text) }
+
+  describe '.from_sddl_text' do
+    it 'raises an exception on invalid flags' do
+      expect { described_class.from_sddl_text('XX') }.to raise_error(Rex::Proto::MsDtyp::SDDLParseError, 'unknown ACE access right: XX')
+    end
+
+    context 'when the text is FA' do
+      let(:sddl_text) { 'FA' }
+      subject(:instance) { described_class.from_sddl_text(sddl_text) }
+
+      it 'sets the protocol to 0x1ff' do
+        expect(instance.protocol).to eq 0x1ff
+      end
+
+      it 'sets the de flag' do
+        expect(instance.de).to eq 1
+      end
+
+      it 'sets the rc flag' do
+        expect(instance.rc).to eq 1
+      end
+
+      it 'sets the wd flag' do
+        expect(instance.wd).to eq 1
+      end
+
+      it 'sets the wo flag' do
+        expect(instance.wo).to eq 1
+      end
+
+      it 'sets the sy flag' do
+        expect(instance.sy).to eq 1
+      end
+
+      it 'does not set the ma flag' do
+        expect(instance.ma).to eq 0
+      end
+
+      it 'does not set the as flag' do
+        expect(instance.as).to eq 0
+      end
+    end
+
+    context 'when the text is KA' do
+      let(:sddl_text) { 'KA' }
+
+      it 'sets the protocol to 0x3f' do
+        expect(instance.protocol).to eq 0x3f
+      end
+
+      it 'sets the de flag' do
+        expect(instance.de).to eq 1
+      end
+
+      it 'sets the rc flag' do
+        expect(instance.rc).to eq 1
+      end
+
+      it 'sets the wd flag' do
+        expect(instance.wd).to eq 1
+      end
+
+      it 'sets the wo flag' do
+        expect(instance.wo).to eq 1
+      end
+
+      it 'does not set the sy flag' do
+        expect(instance.sy).to eq 0
+      end
+
+      it 'does not set the ma flag' do
+        expect(instance.ma).to eq 0
+      end
+
+      it 'does not set the as flag' do
+        expect(instance.as).to eq 0
+      end
+    end
+
+    context 'when the text is 0x00001234' do
+      let(:sddl_text) { '0x00001234' }
+
+      it 'sets the protocol to 0x1234' do
+        expect(instance.protocol).to eq 0x1234
+      end
+    end
+  end
+
+  describe '#to_sddl_text' do
+    context 'when high protocol bits are set' do
+      subject(:instance) { described_class.new(protocol: 0x1234) }
+      it 'dumps the value in hex' do
+        expect(instance.to_sddl_text).to eq "0x00001234"
+      end
+    end
+  end
+end