Microsoft has removed the code (copy) from GitHub with a prototype exploit demonstrating the principle of a critical vulnerability in Microsoft Exchange. Such an action caused outrage among many security researchers, as the exploit prototype was published after the release of the patch, which is a common practice.
There is a clause in the GitHub rules that prohibits the placement of active malicious code or exploits (that is, attacking user systems) in repositories, as well as the use of GitHub as a platform for delivering exploits and malware when in the process of carrying out attacks. But this rule has not previously been applied to code prototypes hosted by researchers that were published to analyze attack methods after a patch was released by a vendor.
Since such code is usually not removed, GitHub's actions were perceived as Microsoft's use of an administrative resource to block information about a vulnerability in its product. Critics have accused Microsoft of double standards and censorship of content of great interest to the security research community simply because the content is detrimental to Microsoft's interests. According to a member of the Google Project Zero team, the practice of publishing exploit prototypes is justified and the benefits outweigh the risks, since there is no way to share research results with other specialists without this information falling into the hands of attackers.
A researcher from Kryptos Logic tried to object, pointing out that in a situation where there are still more than 50 unupdated Microsoft Exchange servers on the network, publishing exploit prototypes ready for attacks looks doubtful. The harm that early publication of exploits can cause outweighs the benefit for security researchers, since such exploits endanger a large number of servers that have not yet had time to install updates.
GitHub representatives commented on the removal as a violation of the terms of service (Acceptable Use Policies) and stated that they understand the importance of publishing exploit prototypes for research and educational purposes, but also recognize the danger from the damage that they can cause in the hands of attackers. Therefore, GitHub is trying to find the optimal balance between the interests of the security research community and the protection of potential victims. In this case, the publication of an exploit suitable for committing attacks, provided that there are a large number of systems that have not yet been updated, is recognized as violating the rules of GitHub.
It is noteworthy that the attacks began back in January, long before the patch was released and the vulnerability was disclosed (0-day). Before the exploit prototype was published, about 100 servers had already been attacked, on which a backdoor for remote control was installed.
A remote GitHub exploit prototype demonstrated the CVE-2021-26855 (ProxyLogon) vulnerability, which allows extracting arbitrary user data without authentication. In conjunction with CVE-2021-27065, the vulnerability also allowed code to be executed on a server with administrative privileges.
Not all exploits have been removed, for example, a simplified version of another exploit developed by the GreyOrder team remains on GitHub. The exploit note states that the original GreyOrder exploit was removed after adding additional functionality to the code that enumerates users on the mail server, which could be used to launch mass attacks on companies using Microsoft Exchange.
Source: opennet.ru