Few days ago Microsoft received a series of strong criticisms by many developers after on GitHub delete the code from an Exchange xploit And it is that even though for many it would be the most logical thing, although the real problem is that it was a PoC xplots for patched vulnerabilities, which are used as a standard among security researchers.
These help them understand how attacks work so they can build better defenses. This action has outraged many security researchers, as the exploit prototype was released after the patch was released, which is common practice.
There is a clause in the GitHub rules that prohibits the placement of malicious code active or exploits (that is, attacking users' systems) in repositories, as well as the use of GitHub as a platform to deliver exploits and malicious code in the course of attacks.
However, this rule has not previously been applied to prototypes. of code published by researchers that have been published to analyze attack methods after the vendor released a patch.
Since such code is generally not removed, Microsoft perceived GitHub shares like using an administrative resource to block information about a vulnerability in your product.
Critics have accused Microsoft to have a double standard and to censor content of great interest to the security research community simply because the content is detrimental to Microsoft's interests.
According to a member of the Google Project Zero team, the practice of publishing exploit prototypes is justified, and the benefits outweigh the risk, since there is no way to share the results of the investigation with other specialists so that this information does not fall into the hands of attackers.
An investigator Kryptos Logic tried to argue, pointing out that in a situation where there are still more than 50 thousand out-of-date Microsoft Exchange servers on the network, publishing exploit prototypes ready to carry out attacks seems dubious.
The harm that early release of exploits can cause outweighs the benefit to security researchers, as such exploits endanger a large number of servers on which updates have not yet been installed.
GitHub reps commented on the removal as a rule violation of the service (Acceptable Use Policies) and said that they understand the importance of publishing exploit prototypes for educational and research purposes, but also understand the danger of the damage they can cause at the hands of attackers.
Therefore, GitHub tries to find the optimal balance between interests of the community investigation into security and the protection of potential victims. In this case, it was found that publishing an exploit suitable for attacks, as long as there are a large number of systems that have not yet been updated, violates GitHub rules.
It is noteworthy that the attacks began in January, well before the release of the patch and the disclosure of information about the vulnerability (day 0). Before the prototype of the exploit was published, about 100 servers had already been attacked, in which a back door for remote control was installed.
In a remote GitHub exploit prototype, the CVE-2021-26855 (ProxyLogon) vulnerability was demonstrated, allowing you to extract data from an arbitrary user without authentication. In combination with CVE-2021-27065, the vulnerability also allowed you to run your code on the server with administrator rights.
Not all exploits were removed, for example, a simplified version of another exploit developed by the GreyOrder team remains on GitHub.
A note to the exploit indicates that the original GreyOrder exploit was removed after additional functionality was added to the code to list users on the mail server, which could be used to carry out massive attacks against companies using Microsoft Exchange.