In my exploration of all the components and configurations related to the Windows Active Directory Certification Services (ADCS), after the "deep dive" in Cert Publishers group, I decided to take a look at the "Certificate Service DCOM Access" group. This group is a built-in local security group and is populated by the special NT AUTHORITY\Authenticaterd…

Sometimes I think that starting with a hypothetical scenario can be better than immediately diving into the details of a vulnerability. This approach, in my opinion, provides crucial context for a clearer understanding, especially when the vulnerability is easy to understand but the scenario where it could apply is not. This post is about possible…

While writing my latest post, my attention was also drawn to the Cert Publishers group, which is associated with the Certificate service (ADCS) in an Active Directory Domain. I was wondering about the purpose of this group and what type of permissions were assigned to its members. I was also curious to understand if it…

Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP scenario remains unpatched, as per Microsoft's decision, and it is still effective on updated systems. This is clearly an edge case, but it is important to be aware of it and avoid situations that could…

In a recent assessment, I found that a user without special privileges had the ability to make changes to the NTAuthCertificates object. This misconfiguration piqued my curiosity, as I wanted to understand how this could potentially be exploited or misused. Having write access to the NTAuthCertificates object in Windows Active Directory, which is located in…

Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy “File Preference” is configured. I reported this finding to ZDI and Microsoft fixed this in CVE-2022-37955 Versions Affected Tests (April 06, 2022) were conducted on the following Active Directory setup: Domain computer: Windows 10/Windows 11 &…

Here we are again with our (me and @splinter_code) new *potato flavor, the LocalPotato! This was a cool finding so we decided to create a dedicated website 😉 The journey to discovering the LocalPotato began with a hint from our friend Elad Shamir, who suggested examining the "Reserved" field in NTLM Challenge messages for potential…

Well, it's been a long time ago since our beloved JuicyPotato has been published. Meantime things changed and got fixed (backported also to Win10 1803/Server2016) leading to the glorious end of this tool which permitted to elevate to SYSTEM user by abusing impersonation privileges on Windows systems. With Juicy2 it was somehow possible to circumvent…

Two years ago (march 2020), I found this sort of "vulnerability" in Folder Redirection policy and reported it to MSRC. They acknowledged it with CVE-2021-26887 even if they did not really fix the issue ("folder redirection component interacts with the underlying NTFS file system has made this vulnerability particularly challenging to fix"). The proposed solution…

Some time ago, I was doing a Group Policy assessment in order to check for possible misconfigurations. Apart running the well known tools, I usually take a look at the shared SYSVOL policy folder. The SYSVOL folder is accessible in read-only by all domain users & domain computers. My attention was caught at some point…