Skip to main content
ESC14 is a misconfiguration in Active Directory, which stems from insecure management of security attributes. Specifically, the altSecurityIdentities attribute (explicit certificate mapping) of a domain principal can be abused to compromise its account.

Background

The configuration was first described by Géraud de Drouas in this git page, later highlighted by Jean Marsault in this blogpost, and then tagged ESC14 by Jonas Bülow Knudsen in this blogpost.

Exploitation Methods

There are currently three documented methods for exploiting this vulnerability:
Overwrite the altSecurityIdentities attribute to compromise an account.
  • Enroll in a certificate with an attacker-controlled principal.
  • Add an explicit certificate mapping from the certificate to the attribute.
  • Authenticate as the target account.
Abuse an existing X509RFC822 entry in the altSecurityIdentities attribute of a principal.
  • Modify the mail attribute of an attacker-controlled principal.
  • Enroll in a certificate with the attacker-controlled principal.
  • Authenticate as the target principal (only works against users).
Abuse an existing X509IssuerSubject or X509SubjectOnly entry in the altSecurityIdentities attribute of a principal.
  • Modify the cn or dNSHostName attribute of an attacker-controlled principal.
  • Enroll in a certificate with the attacker-controlled principal.
  • Authenticate as the target principal.
While these are interesting attack techniques, there are little to no relevant functionality in Certify that supports the ESC14 abuse scenario (except for requesting certificates), so we refer to this blogpost for further information about ESC14.