fix: 🐛 fix ESC4 ACL so it is actually vulnerable

Signed-off-by: kernel-sanders <[email protected]>

tasks/esc4.yml

@@ -0,0 +1,81 @@
+- name: Set ACL for ESC4
+  ansible.windows.win_powershell:
+    script: |
+      [CmdletBinding()]
+      param (
+          [String]
+          $for,
+
+          [String]
+          $to,
+
+          [String]
+          $right,
+
+          [String]
+          $inheritance
+      )
+      Import-Module ActiveDirectory
+      Set-Location AD:
+      $aclValues = 'AccessSystemSecurity', 'CreateChild', 'Delete', 'DeleteChild', 'DeleteTree', 'ExtendedRight', 'GenericAll', 'GenericExecute', 'GenericRead', 'GenericWrite', 'ListChildren', 'ListObject', 'ReadControl', 'ReadProperty', 'Self', 'Synchronize', 'WriteDacl', 'WriteOwner', 'WriteProperty'
+      $aclExtendValues = 'Ext-User-Force-Change-Password', 'Ext-Self-Self-Membership', 'Ext-Write-Self-Membership'
+      if ($for.StartsWith("NT AUTHORITY")) {
+        $forSID = New-Object System.Security.Principal.NTAccount "$for"
+      } else {
+        $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADObject -Filter "SamAccountName -eq '$for'" -Properties objectSID).objectSID
+      }
+
+      try {
+        $objAcl = get-acl -Path "$to" -ErrorAction Stop
+        $objOU = $to
+        $objFound=$true
+      } catch [System.Management.Automation.ItemNotFoundException]{
+        $objFound=$false
+      }
+
+      if (-not $objFound) {
+        $extra_args = @{}
+        if ($to -match "\\") {
+          $extra_args.Server = $to.Split("\")[0]
+          $to = $to.Split("\")[1]
+        }
+        $toObj = Get-ADObject -Filter "SamAccountName -eq '$to'" @extra_args
+        $objOU = ($toObj).DistinguishedName
+        $objAcl = get-acl -Path "$objOU"
+      }
+
+      $type =  [System.Security.AccessControl.AccessControlType] "Allow"
+      $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance
+
+      $aclExtendedValueRightGUID = @{
+        "Ext-User-Force-Change-Password" = @("ExtendedRight","00299570-246d-11d0-a768-00aa006e0529")
+        "Ext-Write-Self-Membership" = @("WriteProperty","bf9679c0-0de6-11d0-a285-00aa003049e2")
+        "Ext-Self-Self-Membership" = @("Self","bf9679c0-0de6-11d0-a285-00aa003049e2")
+      }
+
+      $Ansible.Changed = $false
+      if ($aclValues.contains($right)) {
+        $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $right
+        $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType
+      }
+      if ($aclExtendValues.contains($right)) {
+        $extendedRightGUID = $aclExtendedValueRightGUID[$right][1]
+        $extright = $aclExtendedValueRightGUID[$right][0]
+        $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $extright
+        $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$extright,$type,$extendedRightGUID,$inheritanceType
+      }
+      if ($ace) {
+        $objAcl.AddAccessRule($ace)
+        Set-Acl -AclObject $objAcl -path "$objOU"
+        $Ansible.Changed = $true
+      }
+    parameters:
+      for: "Domain Users"
+      to: "CN=ESC4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC={{ ludus_domain_netbios_name }},DC={{ ludus_domain_fqdn_tail.split('.') | join(',DC=') }}"
+      right: "GenericAll"
+      inheritance: "None"
+  vars:
+    ansible_become: true
+    ansible_become_method: runas
+    ansible_become_user: "{{ ludus_adcs_domain_username }}"
+    ansible_become_password: "{{ ludus_adcs_domain_password }}"

tasks/main.yml

@@ -136,6 +136,10 @@
     cauthority_common_name: "{{ ludus_adcs_ca_common_name }}"
   when: ludus_adcs_esc6 is true
 
+- name: Set up ESC4
+  include_tasks: esc4.yml
+  when: ludus_adcs_esc4 is true
+
 - name: Set up ESC13
   include_tasks: esc13.yml
   when: ludus_adcs_esc13 is true