GitHub removed ProxyLogon exploit and has been criticized

GitHub removed the ProxyLogon exploit

The administration of the GitHub service has removed a real working exploit for the ProxyLogon vulnerabilities in Microsoft Exchange, though information security specialists have sharply criticized GitHub.

Yesterday we wrote that an independent information security researcher from Vietnam published on GitHub the first real PoC exploit for a serious set of ProxyLogon vulnerabilities recently discovered in Microsoft Exchange. This exploit has been confirmed by renowned experts including Marcus Hutchins from Kryptos Logic, Daniel Card from PwnDefend and John Wettington from Condition Black.

At the same time, many experts noted that the public release of the PoC exploit now is an extremely dubious step. For example, recently Praetorian was severely criticized for much less harmful; “misconduct”: its specialists only published a detailed overview of ProxyLogin vulnerabilities, although they refrained from releasing their own exploit.

The point is that at least ten hack groups are currently exploiting ProxyLogon bugs to install backdoors on Exchange servers around the world. According to various estimates, the number of affected companies and organizations has already reached 30,000-100,000, and their number continues to grow, as well as the number of attackers.

Given the seriousness of the situation, within a few hours after the publication of the exploit, it was removed from GitHub by the administration of the service. Because of this, some members of the information security community were furious and immediately accused Microsoft of censoring content of vital interest to security professionals around the world.

For example, many researchers say that GitHub adheres to a double standard that allows a company to use PoC exploits to fix vulnerabilities that affect software from other companies, but that similar PoCs for Microsoft products are being removed.

Wow. I have no words. Microsoft has indeed removed the PoC code from GitHub. It is monstrous to remove the security researcher code from GitHub aimed at their own product, which has already received the patches. Dave Kennedy, founder of TrustedSec, wrote on Twitter.

On the same social network, Google Project Zero expert Tavis Ormandy argues with Marcus Hutchins. The latter says that he does not quite understand what benefits could bring publishing a working RCE exploit to at least someone, to which Ormandy replies:

Is there a benefit to Metasploit, or is it literally everyone who uses it is scriptkiddy? Unfortunately, it is impossible to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.

In turn, Hutchins writes that the argument about the already fixed vulnerabilities is untenable, since about 50,000 servers around the world are still vulnerable.

Patches are out now. Dude, there are over 50,000 unpatched Exchange servers. Releasing a fully operational RCE chain is not a security study, it is a pure stupidity. I’ve seen GitHub remove malicious code before, and not just code that targets Microsoft products. I highly doubt MS played any role in this removal, the [exploit] was simply violating GitHub’s active malware/exploit policy, as it only appeared recently and a huge number of servers are under threat of ransomware attacks.says Hutchins.

GitHub told reporters that the exploit certainly had educational and research value for the community, but the company has to maintain a balance and be mindful of the need to keep the broader ecosystem safe. Therefore, in accordance with the rules of the service, the exploit for a recently discovered vulnerability, which is currently being actively used for attacks, has nevertheless been removed from the public domain.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.