Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: AllExtendedRights Abuse Info is Incorrect #1016

Open
logangoins opened this issue Dec 13, 2024 · 0 comments
Open

Bug: AllExtendedRights Abuse Info is Incorrect #1016

logangoins opened this issue Dec 13, 2024 · 0 comments
Labels
bug Something isn't working ticketed (automation only) Ticket has been created internally for tracking

Comments

@logangoins
Copy link

logangoins commented Dec 13, 2024
edited
Loading

Description:

The AllExtendedRights abuse info in the Bloodhound documentation and UI showcase objects with an AllExtendedRights relationship being vulnerable to Resource-Based Constrained Delegation (RBCD), which is incorrect. An example is found here of the issue under the computer section: https://support.bloodhoundenterprise.io/hc/en-us/articles/17312860666267-AllExtendedRights. Write access to msDs-AllowedToActOnBehalfOfOtherIdentity is not permitted when configuring AllExtendedRights, restricting the exploitation of RBCD.

AllExtendedRights grants the affected object and configured principal access to the objects ExtendedRights, with a few examples defined in the Microsoft documentation here: https://learn.microsoft.com/en-us/windows/win32/adschema/extended-rights. ReadLAPSPassword for computer objects (if the computers have LAPS) would be a much more appropriate example in the abuse section.

Component(s) Affected:

  • UI
  • Documentation

Steps to Reproduce:

Bloodhound UI:

  1. Ingest an AllExtendedRights relationship through Bloodhound
  2. Click on the text for the relationship "AllExtendedRights" to open the help menu and abuse info.
  3. Note the abuse info on the right containing exploitation steps for RBCD on Windows and Linux platforms.

Documentation:

  1. Visit the docs on the AllExtendedRights edge case here: https://support.bloodhoundenterprise.io/hc/en-us/articles/17312860666267-AllExtendedRights
  2. Note under the computer category the mention of RBCD.

Screenshots/Code Snippets/Sample Files:

image
image
@logangoins logangoins added bug Something isn't working triage This issue requires triaging labels Dec 13, 2024
@StephenHinck StephenHinck added ticketed (automation only) Ticket has been created internally for tracking and removed triage This issue requires triaging labels Dec 13, 2024
@JonasBK JonasBK mentioned this issue Dec 16, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working ticketed (automation only) Ticket has been created internally for tracking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@StephenHinck @logangoins