As mentioned in the previous blog article, thousands of on-premises Microsoft Exchange Servers were compromised by state-sponsored attackers. The attackers exploited “ProxyLogon”, a set of zero-day vulnerabilities within the software for these servers. On March 11, Dan Goodin of Ars Technica noted that ProxyLogon’s existence resulted in as many as 100,000 Exchange Server infections. Goodin also mentioned a controversy regarding the code for a proof-of-concept (PoC) exploit against ProxyLogon. The code of the exploit was posted on GitHub, a code repository website owned by Microsoft. However, GitHub removed the exploit hours after it was posted. Some cybersecurity researchers have criticized Microsoft and GitHub for removing the exploit, while others have defended the removal because thousands of servers were still vulnerable to ProxyLogon. This blog article will shed some light on what PoC exploits are, why they are important to the cybersecurity community, and why researchers criticized or defended GitHub.
There are different definitions of exploit as a cybersecurity term. According to the Cybersecurity Glossary of the National Initiative for Cybersecurity Careers and Studies (NICCS), an exploit is a “technique to breach the security of a network or information system in violation of security policy”. According to Cisco, an exploit is “a program, or piece of code, designed to find and take advantage of a security flaw or vulnerability in an application or computer system.” In a general sense, an exploit is an attack that leverages a specific vulnerability within software or hardware to help the attacker compromise a system.
A PoC exploit is a program or a piece of code that uses a vulnerability for the sole purpose of showing how it can be exploited, and nothing else. Cybersecurity researchers write PoC exploits to demonstrate how certain vulnerabilities can be exploited. The end goal of writing a PoC exploit is to prove that a vulnerability exists so that the cybersecurity community can learn about it and the developers of the vulnerable software can fix the vulnerability. However, even though researchers and white hat hackers can use PoC exploits for benevolent purposes, cybercriminals can modify them and use them to carry out real, non-demonstrative cyberattacks.
Lorenzo Franceschi-Bicchierai of Vice provided more insight into the removal of the PoC exploit for ProxyLogon. According to the PoC exploit’s author, Nguyen Jang, the PoC exploit was not fully functional but could have been turned into a real exploit with a few tweaks to the source code. Someone with the tweaked version could then use it to exploit ProxyLogon and compromise vulnerable servers. GitHub removed the PoC code from their website precisely because ProxyLogon was being actively exploited against thousands of Microsoft Exchange Servers.
GitHub’s removal of the PoC exploit is just one part of an ongoing debate within the cybersecurity community. Lindsey O’Donnell of Threatpost discussed the results of a poll about PoC exploits that was opened on January 17, 2020. O’Donnell mentioned that 60% of 230 security pundits supported the publication of PoC exploits for zero-day vulnerabilities. Thus, the majority of the cybersecurity community seems to support PoC exploit publication.
There are advantages and disadvantages to security as a whole when PoC exploits are published. PoC exploits can help defenders learn whether or not their systems are vulnerable and encourage them to apply security patches as soon as possible. However, they can also increase the number of cyberattacks. Many cybercriminals do not write all of their own code. Instead, they find and adapt existing code to suit their needs. Preventing PoC exploits from being published does not prevent cyberattacks. However, publishing them does lower the bar for entry, thus increasing the number of potential attackers. If defenders are slow to apply patches, or if developers are slow to publish patches, then defenders face greater risks when PoC exploits are published. Ultimately, PoC exploits are a double-edged sword. On one hand, they are beneficial for cybersecurity research and defense as a whole. On the other hand, they can be repurposed by attackers. One way to balance the needs of the cybersecurity research community with the needs of potential victims is to wait until the vulnerability is no longer a zero-day being actively exploited, and most potential victims have had the chance to apply relevant security patches. This way, potential victims face less risk, but cybersecurity researchers still benefit from the insight provided by the PoC exploit.