GitHub removed ProxyLogon exploit and has been criticized

GitHub removed the ProxyLogon exploit

The administration of the GitHub service has removed a real working exploit for the ProxyLogon vulnerabilities in Microsoft Exchange, though information security specialists have sharply criticized GitHub.

Yesterday we wrote that an independent information security researcher from Vietnam published on GitHub the first real PoC exploit for a serious set of ProxyLogon vulnerabilities recently discovered in Microsoft Exchange. This exploit has been confirmed by renowned experts, including Marcus Hutchins from Kryptos Logic, Daniel Card from PwnDefend, and John Wettington from Condition Black.

At the same time, many experts noted that the public release of the PoC exploit now is an extremely dubious step. For example, recently, Praetorian was severely criticized for much less harmful; “misconduct”: its specialists only published a detailed overview of ProxyLogin vulnerabilities, although they refrained from releasing their exploit.

The point is that at least ten hack groups are exploiting ProxyLogon bugs to install backdoors on Exchange servers worldwide. According to various estimates, the number of affected companies and organizations has already reached 30,000-100,000, and their number continues to grow, as well as the number of attackers.

GitHub removed ProxyLogon exploit and has been criticized

Given the seriousness of the situation, within a few hours after the publication of the exploit, it was removed from GitHub by the administration of the service. Because of this, some information security community members were furious and immediately accused Microsoft of censoring the content of vital interest to security professionals worldwide.

For example, many researchers say that GitHub adheres to a double standard that allows a company to use PoC exploits to fix vulnerabilities that affect software from other companies but that similar PoCs for Microsoft products are being removed.

Wow. I have no words. Microsoft has indeed removed the PoC code from GitHub. It is monstrous to remove the security researcher code from GitHub aimed at their own product, which has already received the patches.Dave Kennedy, founder of TrustedSec, wrote on Twitter.

On the same social network, Google Project Zero expert Tavis Ormandy argues with Marcus Hutchins. The latter says that he does not quite understand what benefits could bring publishing a working RCE exploit to at least someone, to which Ormandy replies:

Is there a benefit to Metasploit, or is it that everyone who uses it is script-kiddy? Unfortunately, sharing research and tools with professionals is impossible without sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.

In turn, Hutchins writes that the argument about the already fixed vulnerabilities is untenable since about 50,000 servers worldwide are still vulnerable.

Patches are out now. Dude, there are over 50,000 unpatched Exchange servers. Releasing a fully operational RCE chain is not a security study, it is a pure stupidity. I’ve seen GitHub remove malicious code before, not just code targeting Microsoft products. I highly doubt MS played any role in this removal, the [exploit] was violating GitHub’s active malware/exploit policy, as it only appeared recently. A huge number of servers are under threat of ransomware attacks.says Hutchins.

GitHub told reporters that the exploit certainly had educational and research value for the community, but the company has to maintain a balance and be mindful of the need to keep the broader ecosystem safe. Therefore, in accordance with the rules of the service, the exploit for a recently discovered vulnerability, which is currently being actively used for attacks, has nevertheless been removed from the public domain.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *