21. In internal network domain penetration, what are the utilisation conditions and the principle of the latest CVE-2022-26923 ADCS privilege escalation vulnerability? What are its advantages compared to the earlier ESC8 vulnerability?
ADCS handles certificate requests and issues certificates for users and devices. When processing certificate requests, ADCS determines certificate attributes (such as validity period and algorithms used) based on the information in the request.
This vulnerability exists because ADCS fails to properly validate certain properties in specially crafted certificate requests. An attacker can create a malicious certificate request containing an executable payload and submit it to the ADCS server. When ADCS processes this request, it parses and executes the payload, allowing the attacker to escalate privileges and execute malicious code.
ESC8 (CVE-2021-40444) is a vulnerability affecting Windows Security Centre that can be exploited by sending a specially crafted message. In contrast, CVE-2022-26923 specifically targets the ADCS service and has more specific exploitation conditions.
ESC8 requires the attacker to have network access to the target device, whereas CVE-2022-26923 requires network access to the ADCS server. This means that although both require network access, the exploitation scope of CVE-2022-26923 may be narrower.
ESC8 is a remote code execution vulnerability, while CVE-2022-26923 is a privilege escalation vulnerability. Thus, ESC8 can directly execute malicious code, whereas CVE-2022-26923 first requires some level of access before it can be used to escalate privileges.