gather/ldap_esc_vulnerable_cert_finder - Disclose when templates are configured to pend requests.

[aquinn-r7]

If we find templates that are configured with the msPKI-Enrollment-FlagCT_FLAG_PEND_ALL_REQUESTS bit set, all requests will pend unless the administrator approves the CSR. We should note to the user that requests to these templates will pend and not generate certificates ahead of time to reduce noise within the environment.

I may take a look into doing this myself. It should be a fairly easy lift, and should only require observation of the bit setting. If identified, we can raise an alert to the user that requests to the template will fail regardless of vulnerability status.

[smcintyre-r7]

I'm looking through the ldap_esc_vulnerable_cert_finder module now and it looks like templates where CT_FLAG_PEND_ALL_REQUESTS is set are filtered out. Are you requesting that they be included just with a warning?

• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L239
• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L259
• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L278
• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L299
• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L322
• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb#L380

[aquinn-r7]

I must have missed those lines when looking through it. You are a step ahead of me. I'll consider this closed. If they arent' showing up for users, the noise issues I was worried about shouldn't be a concern.