Skip to content

Don't look up the local system SID#20445

Merged
jheysel-r7 merged 1 commit intorapid7:masterfrom
zeroSteiner:feat/lib/ldap-adds/2
Aug 12, 2025
Merged

Don't look up the local system SID#20445
jheysel-r7 merged 1 commit intorapid7:masterfrom
zeroSteiner:feat/lib/ldap-adds/2

Conversation

@zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Aug 1, 2025
edited by jheysel-r7
Loading

This makes a small improvement to the new ActiveDirectory mixin when evaluating security descriptors. The local system SID S-1-5-18 SID won't be in AD and because it wasn't matched as a special case until now, it would trigger multiple lookups in AD. The cache wasn't helping here because the object was never found in LDAP so it wouldn't be added to the cache, causing it to be looked up in a query each time.

This fixes the issue by adding the SID as a special case. It's placed after the SID we're testing for, so if the user wants to explicitly test for the SID they still can however if it's anything else, we know the ACE won't be applied so we just skip the lookup. This can be noticed when running the ldap_esc_vulnerable_cert_finder module with the VERBOSE option set to true. Without this change there'd be a bunch of lookups as seen by the [*] Successfully queried (objectSID=S-1-5-18). lines in the logs. Now, there are no queries for that particular SID.

Testing

  • Run the ldap_esc_vulnerable_cert_finder with VERBOSE=true and see that there's not a bunch of unnecessary LDAP queries

@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Aug 5, 2025

Looks great.

Testing

There were significantly less LDAP queries being run and this does fix the issue described in the the PR.

I'll note some unrelated behavior I noticed while testing. The SID ending in 1603 was tied to a user account. This user account was added to the security descriptors of multiple certificate templates and was granted access to enroll. That user was since deleted however the SID stays in the ACL resulting in the following output:

[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1604).
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-513).
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!

I'll push up a fix for this separately 👍

@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Aug 5, 2025
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Aug 5, 2025
edited by mwalas-r7
Loading

Release Notes

This update improves the ActiveDirectory mixin by skipping unnecessary LDAP lookups for the well-known local system SID (S-1-5-18). By handling it as a special case, repeated redundant queries are avoided, reducing noise in verbose logs and improving performance.

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Aug 12, 2025
@jheysel-r7 jheysel-r7 merged commit 4200f51 into rapid7:master Aug 12, 2025
51 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels

enhancement rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zeroSteiner @jheysel-r7