Active Directory Certificate Services Misconfiguration Privilege Escalation - Any Purpose or No (aka SubCA) EKU Misconfiguration
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template specifies the 'Any Purpose' EKU or no EKUs at all (i.e. a subCA certificate). The vulnerable template grants low-privileged users enrollment rights, and lacks protective Issuance Requirements (e.g. - Requiring a Manager approval or authorized signature).
An attacker can request a certificate from the vulnerable ADCS Certificate Template that could be utilized for virtually any purpose - Client Authentication, Code Signing, etc. Additionally, with a SubCA certificate, an attacker could create and sign new certificates with any EKU and arbitrary certificate values -- which could potentially have large implications for other applications in the environment. If the subordinate CA is trusted by the NTAuthCertificates object (it won’t be by default), the attacker could create new certificates for domain authentication.