tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to run arbitrary executables.
During a recent assessment I found a new way to abuse Access Control Entries in a misconfigured Active Directory instance. Before jumping into the juicy bits, I’d first like to explain what these misconfigurations are, how we find them and finally how to abuse them. If you have preexisting knowledge on this topic you can jump to the section titled ‘
A new way of abusing GenericWrite‘.
ACE, ACL and DACL’sIn Microsoft products such as the Windows Operating system or Active Directory, you can use an ‘Access Control Model’ to secure objects and attributes. Think of these objects as files, folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads.
When editing rights on these objects you create Access Control Entries (ACE). A list of these ACEs is called an Access Control List (ACL), which come in two types:
- A Discretionary Access Control List (DACL), which identifies security principals who are allowed or denied access;
- A System Access Control List (SACL), which controls how access is audited.
These configured ACEs are enforced for specified security principals. A security principal is any entity that can be authenticated by an operating system, such as:
- A user account;
- A computer account;
- Security groups for these accounts.
Read the full article @
https://sensepost.com/blog/2020/ace-to-rce/
