The Schannel vulnerability MS14-066 details

beyondtrust.com has the information

MS14-066 was patched in November patch Tuesday (Nov 11).  and here is the details:

Unfortunately for those machines that do not patch regularly, the Microsoft patch allows the reverse engineer to figure out what was patched and then create a hack/Proof of Concept – POC)

 

asdfasdf

We can now see that the added logic controls a path to a memcpy (actually two memcpys — they wouldn’t both fit in the screenshot).  This is an indication that we are looking in the right place. – See more at: http://blog.beyondtrust.com/triggering-ms14-066#sthash.SVTUcTk6.dpuf

that starts the POC

…..  more analysis ….

 

final result:

So all we really need to do is edit s3_clnt.c to randomly change one byte in ‘p’ to a random value before sending our certificate verify message back to IIS over and over again and wait until something cool happens. (i.e. crashingmemcpy)

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.