It is basically an arbitrary application policy injection on a issued certificate leveraging the lack of security of the V1 Certificate Templates
An operator issues a Certificate Signign Request (CSR) including an arbitrary Application Policy such as Client Authentication or Certificate Request Agent, for which the V1 Template is not intended
Furthermore, the client can specify any subject parameter (CN, OU and so on) and SAN since the enrollee supplies subject is enabled (True value)
At the moment the CA receives the CSR, it issues a new certificate based on the requested V1 template by the client. The given certificate will contain both the Extended Key Usages (EKUs) from the template and the application policies defined in the CSR
This means that the issued certificate can be used for client authentication such as Kerberos PKINIT or Schannel or to issue other certificates on behalf of any domain account i.e. Certificate Request Agent
With the latter, the operator has had to include the Certificate Request Agent to the CSR Application Policies in order to receive a certificate that will act as an Enrollment agent
Requirements
CA not patched against CVE-2024-49019
Enrollee Supplies Subject : TRUE
Schema Version : 1
The controlled domain account has enrollment rights
Abuse - UNIX-like
For instance, an attacker who controls a domain account, which has enrollment rights over a V1 Certificate Template with enrollee supplies subject enabled, can submit a CSR containing an arbitrary application policy, such as Client Authentication or Certificate Request Agent, and obtain a certificate to perform domain account impersonation through PKINIT PtC or Schannel PtC
Client Authentication
**OID → 1.3.6.1.5.5.7.3.2
An adversary submits a CSR including a Client Authentication application policy to the CA in order to receive a certificate from a V1 Template which contains both EKUs from the latter and the mentioned application policy
That is, if we are dealing with a V1 Template with a Server Authentication EKU and enrollee supplies subject enabled, the issued certificate will contain both Server Authentication and Client Authentication application policies (EKUs)
Appliation Policy ( Client Authentication ) injection on CSR to request a Certificate from a V1 Template with Enrollee supplies subject enabled
In this attack vector, an operator perform a PKINIT/Kerberos impersonation via Enrollment Agent Abuse by injecting a Certificate Request Agent policy in the CSR submitted to the CA, and then using the issued certificate to request a certificate for a privileged user
Application Policy ( Certificate Request Agent ) Injection on CSR to request a Certificate from a V1 Template with Enrolle supplies subject enabled
Once the operator receives a certificate containing the Certificate Request Agent application policy, the latter can be used to request a certificate on behalf of any domain account, acting as an Enrollment Agent
Certificate Request on behalf of any domain account by leveraging the Agent Certificate