ADSelfService Plus version 4.3.3 PoC for an authentication bypass on Windows 10. Affects all versions of Windows
PoC Video
Steps to repoduce
- Disconnect from your enterprise network
- Connect to your own hotspot
- Click on reset password; the thick client browser should error out with a 404 if the password reset web application is hosted in the intranet
- Click on search for this site which should open a new internet explorer window.
- Press Ctrl S to open file explorer and browse to c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Get System Shell without any authentication required.
Fix
Update to the latest version 5.0.6