Initial implementation of #adds_sd_grants_permissions?

Author: zeroSteiner

lib/msf/core/exploit/remote/ldap/active_directory.rb

@@ -9,6 +9,59 @@ module ActiveDirectory
       include Msf::Exploit::Remote::LDAP
 
       LDAP_CAP_ACTIVE_DIRECTORY_OID = '1.2.840.113556.1.4.800'.freeze
+      LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801'.freeze
+      OWNER_SECURITY_INFORMATION = 0x1
+      GROUP_SECURITY_INFORMATION = 0x2
+      DACL_SECURITY_INFORMATION = 0x4
+      SACL_SECURITY_INFORMATION = 0x8
+
+      class ACEMatcherAllowAll
+        attr_reader :permissions
+
+        def initialize(permissions)
+          @permissions = Array.wrap(permissions)
+        end
+
+        def call(ace)
+          access_mask = ace.body.access_mask.snapshot
+          target_permissions = access_mask.select { |flag, value| @permissions.include?(flag) }
+
+          if target_permissions.empty?
+            return false
+          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
+            return target_permissions.all? { |flag, value| value == 1 }
+          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
+            # if any target permission is denied, then all of them can't be allowed
+            return target_permissions.any? { |flag, value| value == 0 }
+          end
+
+          false
+        end
+      end
+
+      class ACEMatcherAllowAny
+        attr_reader :permissions
+
+        def initialize(permissions)
+          @permissions = Array.wrap(permissions)
+        end
+
+        def call(ace)
+          access_mask = ace.body.access_mask.snapshot
+          target_permissions = access_mask.select { |flag, value| @permissions.include?(flag) }
+
+          if target_permissions.empty?
+            return false
+          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
+            return target_permissions.any? { |flag, value| value == 1 }
+          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
+            # if all target permissions are denied, then none of them can be allowed
+            return target_permissions.all? { |flag, value| value == 0 }
+          end
+
+          false
+        end
+      end
 
       # Query the remote server via the provided LDAP connection to determine if it's an Active Directory LDAP server.
       # More specifically, this ensures that it reports active directory capabilities and the whoami extension.
@@ -30,6 +83,25 @@ def is_active_directory?(ldap)
         true
       end
 
+      def adds_build_ldap_sd_control
+        # Set the value of LDAP_SERVER_SD_FLAGS_OID flag so everything but
+        # the SACL flag is set, as we need administrative privileges to retrieve
+        # the SACL from the ntSecurityDescriptor attribute on Windows AD LDAP servers.
+        #
+        # Note that without specifying the LDAP_SERVER_SD_FLAGS_OID control in this manner,
+        # the LDAP searchRequest will default to trying to grab all possible attributes of
+        # the ntSecurityDescriptor attribute, hence resulting in an attempt to retrieve the
+        # SACL even if the user is not an administrative user.
+        #
+        # Now one may think that we would just get the rest of the data without the SACL field,
+        # however in reality LDAP will cause that attribute to just be blanked out if a part of it
+        # cannot be retrieved, so we just will get nothing for the ntSecurityDescriptor attribute
+        # in these cases if the user doesn't have permissions to read the SACL.
+        all_but_sacl_flag = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION
+        control_values = [all_but_sacl_flag].map(&:to_ber).to_ber_sequence.to_s.to_ber
+        [LDAP_SERVER_SD_FLAGS_OID.to_ber, true.to_ber, control_values].to_ber_sequence
+      end
+
       def adds_query_group_members(ldap, group_dn, base_dn: nil, inherited: true, object_class: nil)
         return enum_for(:adds_query_group_members, ldap, group_dn, base_dn: base_dn, inherited: inherited, object_class: object_class) unless block_given?
         results = 0
@@ -50,6 +122,7 @@ def adds_query_group_members(ldap, group_dn, base_dn: nil, inherited: true, obje
 
         ldap.search(
           base: base_dn || ldap.base_dn,
+          controls: [adds_build_ldap_sd_control],
           filter: "(&#{filters.map { "(#{_1})" }.join})",
           return_result: false # make sure we're streaming because this could be a lot of data
         ) do |ldap_entry|
@@ -85,6 +158,7 @@ def adds_query_member_groups(ldap, member_dn, base_dn: nil, inherited: true)
 
         ldap.search(
           base: base_dn || ldap.base_dn,
+          controls: [adds_build_ldap_sd_control],
           filter: "(&#{filters.map { "(#{_1})" }.join})",
           return_result: false
         ) do |ldap_entry|
@@ -104,26 +178,100 @@ def adds_get_object_by_dn(ldap, object_dn)
         object = @ldap_objects.find { |o| o[:dN]&.first == object_dn }
         return object if object
 
-        object = ldap.search(base: object_dn, scope: Net::LDAP::SearchScope_BaseObject)&.first
+        object = ldap.search(base: object_dn, controls: [adds_build_ldap_sd_control], scope: Net::LDAP::SearchScope_BaseObject)&.first
         validate_query_result!(ldap.get_operation_result.table)
 
         @ldap_objects << object if object
         object
       end
 
+      def adds_get_object_by_samaccountname(ldap, object_samaccountname)
+        @ldap_objects ||= []
+        object = @ldap_objects.find { |o| o[:sAMAccountName]&.first == object_samaccountname }
+        return object if object
+
+        filter = "(sAMAccountName=#{ldap_escape_filter(object_samaccountname)})"
+        object = ldap.search(base: ldap.base_dn, controls: [adds_build_ldap_sd_control], filter: filter)&.first
+        validate_query_result!(ldap.get_operation_result.table, filter)
+
+        @ldap_objects << object if object
+        object
+      end
+
       def adds_get_object_by_sid(ldap, object_sid)
         @ldap_objects ||= []
         object_sid = Rex::Proto::MsDtyp::MsDtypSid.new(object_sid)
         object = @ldap_objects.find { |o| o[:objectSid]&.first == object_sid.to_binary_s }
         return object if object
 
         filter = "(objectSID=#{ldap_escape_filter(object_sid.to_s)})"
-        object = ldap.search(base: ldap.base_dn, filter: filter)&.first
+        object = ldap.search(base: ldap.base_dn, controls: [adds_build_ldap_sd_control], filter: filter)&.first
         validate_query_result!(ldap.get_operation_result.table, filter)
 
         @ldap_objects << object if object
         object
       end
+
+      def adds_get_current_user(ldap)
+        our_domain, _, our_username = ldap.ldapwhoami.to_s.delete_prefix('u:').partition('\\')
+        # todo: this is probably going to have issues if our user is from a domain that the target server is not the
+        # authority of
+        adds_get_object_by_samaccountname(ldap, our_username)
+      end
+
+      def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: nil, self_sid: nil)
+        unless test_sid
+          current_user = adds_get_current_user(ldap)
+          test_sid = Rex::Proto::MsDtyp::MsDtypSid.read(current_user[:objectSid].first)
+        end
+
+        test_member_sids = nil
+        security_descriptor.dacl.aces.each do |ace|
+          # only processing simple allow and deny types right now
+          case ace.header.ace_type
+          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
+            eval_result = true
+          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
+            eval_result = true
+          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_ACE_TYPE
+            eval_result = false
+          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
+            eval_result = false
+          else
+            next # skip ACEs that are neither allow or deny
+          end
+
+          next unless matcher.call(ace)
+
+          case ace.body.sid
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
+            return eval_result
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
+            return eval_result if self_sid == test_sid
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
+            return eval_result if security_descriptor.owner_sid == test_sid
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_GROUP_SID
+            return eval_result if security_descriptor.group_sid == test_sid
+          when test_sid
+            return eval_result
+          else
+            ldap_object = adds_get_object_by_sid(ldap, ace.body.sid)
+            next unless ldap_object && ldap_object[:objectClass].include?('group')
+
+            member_sids = adds_query_group_members(ldap, ldap_object[:dN].first, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+            return eval_result if member_sids.include?(test_sid)
+
+            if test_member_sids.nil?
+              test_obj = adds_get_object_by_sid(ldap, test_sid)
+              test_member_sids = adds_query_member_groups(ldap, test_obj[:dN].first, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+            end
+
+            return eval_result if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
+          end
+        end
+
+        false
+      end
     end
   end
 end

lib/rex/proto/secauthz/well_known_sids.rb

@@ -19,6 +19,8 @@ module WellKnownSids
     SECURITY_CREATOR_OWNER_RID = 0
     SECURITY_CREATOR_GROUP_RID = 1
 
+    SECURITY_WORLD_SID = "#{SECURITY_WORLD_SID_AUTHORITY}-#{SECURITY_WORLD_RID}"
+
     SECURITY_CREATOR_OWNER_SID = "#{SECURITY_CREATOR_SID_AUTHORITY}-#{SECURITY_CREATOR_OWNER_RID}"
     SECURITY_CREATOR_GROUP_SID = "#{SECURITY_CREATOR_SID_AUTHORITY}-#{SECURITY_CREATOR_GROUP_RID}"