1. 漏洞的起因
2. 漏洞原理分析
3. 漏洞的影响范围
4. 漏洞的利用场景
5. 漏洞的POC、测试方法
6. 漏洞的修复Patch情况
7. 如何避免此类漏洞继续出现

The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement secure communications in support of several common internet and network applications, such as web browsing. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server.

https://technet.microsoft.com/en-us/library/security/dn848375.aspx#Schannel
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6321
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321
https://technet.microsoft.com/library/security/ms14-066
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321

1. WEB浏览器和WEB Server之间的HTTPS通信
2. Active Directory的身份认证
3. Secure Channel是Secure Channel Security Package代码库中的一个功能模块，主要负责提供client和server之间的身份认证服务，即，它是处理Secure Channel中和网络认证数据包有关的这部分逻辑

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2014/11/11/it-s-time-to-update-your-secure-channel-ms14-066-cve-2014-6321.aspx
http://msdn.microsoft.com/en-us/library/aa380123(VS.85).aspx

C:\WINDOWS\system32\schannel.dll

1. schannel.dll中和SSL/TLS会话数据包(非握手)的处理相关的API对数据包中的某些字段的处理流支存在缓冲区溢出相关漏洞
2. 要完成最终的POC，黑客需要进行数据包构造，这是一种数据包字段型的畸形攻击
3. 最终的POC转换为攻击还需要黑客在数据包中构造buf overflow所需要的特定shellcode

An attacker who successfully exploited this vulnerability could run arbitrary code on a target server.

1. Enhanced Protected Mode (EPM) sandbox in IE 11
2. Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool 

wmic datafile where name="C:\\Windows\\System32\\schannel.dll" get version

Schannel.dll    5.2.3790.5462  

Schannel.dll    5.2.3790.5462  

Schannel.dll    6.0.6002.19193

Schannel.dll    6.2.9200.17124

Schannel.dll    6.3.9600.17385

Windows2003   32位 中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44649
Windows2003   32位 英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44649
Windows2003   64位中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44606
Windows2003   64 英文版 位补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44606
Windows2008   32位 英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44645
Windows2008   32位 中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44645
Windows2008  64位  英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44631
Windows2008  64位  中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44631
Windows2008  R2 64位  中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44618
Windows2008  R2 64位  英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44618

http://bbs.aliyun.com/read.php?tid=182074&displayMode=1&page=1&toread=1#tpc

1. 自动根据操作系统版本下载对应的update修复补丁程序：从集团内部FTP上下载1) all server 2003: WindowsServer2003-KB2992611.exe2) all Windows Server 2008: WindowsServer2008-KB2992611.msu3) all Windows Server 2008 R2: WindowsServer2008-R2-KB2992611.msu4) all Windows Server 2012: WindowsServer2012-KB2992611.msu5) all Windows Server 2012 R2: WindowsServer2012-R2-KB2992611.msu
1. 自动进行静默、非重启安装
因为这次的漏洞的源头是那个DLL文件，它被加载到了LSASS系统常驻进程里面，我们安装修复补丁程序只是在进行磁盘上的DLL文件替换，要真正使本次升级生效，还需要对LSASS系统进程进行RELOAD，也就相当于重启了

#if (defined _WIN32 || defined __WIN32__)
#include <windows.h>
#endif#include <stdio.h>
#include <io.h>
#include <curl/curl.h>
#include <curl/easy.h>using namespace std;size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream)
{size_t written = fwrite(ptr, size, nmemb, stream);return written;
}/*
parameters:
url: 下载链接
outfilename: 要保存的文件路径
*/
void installUpdate(char * url, char * filename)
{//1. 下载升级程序文件CURL *curl;FILE *fp;CURLcode res;char* outfilename = filename;char* parame = " /quiet /norestart";char cmdline[128] = {0};memcpy(cmdline, filename, 128);strcat(cmdline, parame);//char *url = "http://localhost/aaa.txt";//char outfilename[FILENAME_MAX] = "C:\\bbb.txt";curl = curl_easy_init();if (curl){fp = fopen(outfilename,"wb");curl_easy_setopt(curl, CURLOPT_URL, url);curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);res = curl_easy_perform(curl);/* always cleanup */curl_easy_cleanup(curl);fclose(fp);}//2. 检查是否下载成功if ( !access(outfilename, 0) ){printf("update file download succussfully！\n");//3. 执行静默安装
        system(cmdline);}else{printf("update file download faild！\n");}return;
}/*
判断
return:
x64 = 1: 64位
x64 = 0: 32位
*/
int getPlatForm()
{unsigned short x64 = 0;#if defined(_MSC_VER)// vs
        __asm mov x64,gs#else// gccasm("mov %%gs, %0" : "=r"(x64));#endif//printf("In x%s OS\n", x64 ? "64" : "86");return x64;
}/*
判断操作系统的版本、32/64
*/
int GetOSVer()
{OSVERSIONINFO osver;osver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);GetVersionEx(&osver);if(osver.dwPlatformId == 2){//1. windows server 2003if(osver.dwMajorVersion ==  5 && osver.dwMinorVersion == 2){printf("windows server 2003\n");//32位if(getPlatForm() == 0){installUpdate("http://xxxx/WindowsServer2003-KB2992611-32.exe", "WindowsServer2003-KB2992611-32.exe");}//64位else{installUpdate("http://xxxx/WindowsServer2003-KB2992611-64", "WindowsServer2003-KB2992611-64");}return(1);}//2. windows server 2008if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 0){printf("windows server 2008\n");//32位if(getPlatForm() == 0){installUpdate("http://xxxx/WindowsServer2008-KB2992611-32.msu", "WindowsServer2008-KB2992611-32.msu");}//64位else{installUpdate("http://xxxx/WindowsServer2008-KB2992611-64.msu", "WindowsServer2008-KB2992611-64.msu");}return(1);}//3. windows server 2008 R2if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 1){printf("windows server 2008 R2\n");//32位if(getPlatForm() == 0){}//64位else{installUpdate("xxxx/WindowsServer2008-R2-KB2992611-64.msu", "WindowsServer2008-R2-KB2992611-64.msu");}return(1);}//4. windows server 2012if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 2){printf("windows server 2012\n");//32位if(getPlatForm() == 0){}//64位else{//installUpdate("xxxx/WindowsServer2012-KB2992611.msu", "WindowsServer2012-KB2992611.msu");
            }return(1);}//5. windows server 2012 R2if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 3){printf("windows server 2012 R2\n");//32位if(getPlatForm() == 0){}//64位else{//installUpdate("xxxx/WindowsServer2012-R2-KB2992611.msu", "WindowsServer2012-R2-KB2992611.msu");
            }return(1);}}return 0;
}int main(int argc, char* argv[])
{#ifdef _WIN32printf("Hello: %d", GetOSVer());#endif#ifdef _UNIX#endif#ifdef _LINUX#endifreturn 0;
}

1. windows server 2003 32:
2. windows server 2003 64: 测试通过3. windows server 2008 32:
4. windows server 2008 64: 测试通过5. windows server 2008 R2 32:
6. windows server 2008 R2 64: 7. windows server 2012 32:
8. windows server 2012 64: 9. windows server 2012 R2 32:
10. windows server 2012 R2 64: 

http://files.cnblogs.com/LittleHann/vulfix.rar