Skip to content

Don't look up the local system SID #20445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Don't look up the local system SID #20445

wants to merge 1 commit into from

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Aug 1, 2025
edited by jheysel-r7
Loading

This makes a small improvement to the new ActiveDirectory mixin when evaluating security descriptors. The local system SID S-1-5-18 SID won't be in AD and because it wasn't matched as a special case until now, it would trigger multiple lookups in AD. The cache wasn't helping here because the object was never found in LDAP so it wouldn't be added to the cache, causing it to be looked up in a query each time.

This fixes the issue by adding the SID as a special case. It's placed after the SID we're testing for, so if the user wants to explicitly test for the SID they still can however if it's anything else, we know the ACE won't be applied so we just skip the lookup. This can be noticed when running the ldap_esc_vulnerable_cert_finder module with the VERBOSE option set to true. Without this change there'd be a bunch of lookups as seen by the [*] Successfully queried (objectSID=S-1-5-18). lines in the logs. Now, there are no queries for that particular SID.

Testing

  • Run the ldap_esc_vulnerable_cert_finder with VERBOSE=true and see that there's not a bunch of unnecessary LDAP queries

@jheysel-r7
Copy link
Contributor

Looks great.

Testing

There were significantly less LDAP queries being run and this does fix the issue described in the the PR.

I'll note some unrelated behavior I noticed while testing. The SID ending in 1603 was tied to a user account. This user account was added to the security descriptors of multiple certificate templates and was granted access to enroll. That user was since deleted however the SID stays in the ACL resulting in the following output:

[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1604).
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-513).
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
[*] Successfully queried (objectSID=S-1-5-21-2324486357-3075865580-3606784161-1603).
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!

I'll push up a fix for this separately 👍

@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Aug 5, 2025
@jheysel-r7
Copy link
Contributor

Release Notes

This update improves the ActiveDirectory mixin by skipping unnecessary LDAP lookups for the well-known local system SID (S-1-5-18). By handling it as a special case, repeated redundant queries are avoided, reducing noise in verbose logs and improving performance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jheysel-r7 jheysel-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zeroSteiner @jheysel-r7