New research suggests thousands of PoCs could be dangerous

Malicious proof-of-concepts are exposing GitHub users to malware and more

Malicious proof-of-concepts (PoCs) are potentially exposing GitHub users to malware and other malfeasance, researchers have found.

In a paper titled ‘How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub’, researchers from Leiden University in the Netherlands recently detailed how thousands of PoCs for known vulnerabilities contain dangerous elements that do more than billed.

Instead of performing an innocuous operation, these exploits could open the door to potential attack.

Qualitative and quantitative

The team – Soufian El Yadmani, Robin The, and Olga Gadyatskaya – collected publicly available PoCs shared on GitHub for CVEs discovered between 2017 and 2021.

In total they studied 47,313 repositories that contained PoCs for at least one CVE from the target period, in what they called “the first large-scale qualitative and quantitative investigation of malicious PoCs”.

They found that of the 47,313 GitHub repositories they had downloaded and checked, 4,893 (10.3%) were malicious.

Read more of the latest web security research

“The purpose of our research was to investigate how big the problem of fake and malicious PoCs for CVE exploits is, since it is our understanding that this is a problem that hasn’t been tackled by anyone before,” El Yadmani told The Daily Swig.

“As a researcher and senior security researcher at Darktrace myself, we rely on sources like GitHub and Exploit-DB for these kinds of PoCs since the knowledge shared by other researchers speaks the same language as we do, which is programming.

“About a year ago I noticed that the topic of malicious PoCs was increasingly spoken about on Twitter, but it was only about specific cases, and it was not clear how large the problem actually was.

“Since there was no clear indication of how many PoCs were malicious, we chose to investigate the issue ourselves.”

Impressive variety

El Yadmani told The Daily Swig that the most interesting finding was the variation in fake and malicious PoCs that the team encountered.

“In some the attackers were trying to plant malware on users’ machines, while in others, they tried to open backdoors using CobaltStrike, for example,” he said.

“What’s surprising is that in some cases we found fake and harmless PoCs that included memes; the most interesting finding was that some of these people invested a lot of time in their PoCs, while their only purpose was to educate the community about how they should not blindly trust PoCs from other people.”

Impact radius

The research paper (PDF) also goes on to lay out recommendations for detecting malicious PoCs by analysing source code for malicious calls to servers as well as extracting hexadecimal payloads and Base64-encoded scripts that contains malicious instructions, “which could be exfiltrating information, downloading malicious files from the internet or containing a backdoor”.

“Ignoring this problem can cause damage that ranges from infecting yourself as [a] user, to infecting your company and likely your customers as well if it’s a more sophisticated attack,” El Yadmani warned.

“Pen testers and developers should always read the code before running it, but in CVE PoCs it can be tricky and challenging in some cases.

“That’s why we wanted to introduce an approach that helps [with] detecting suspicious behaviors in PoCs, automatically. We also want to invest more time in suggesting automated solutions that can help flagging malicious PoCs.

“Our research is also an invitation to other researchers, either in academia or [the] industry, to invest more time in producing solutions for this problem.”

YOU MAY ALSO LIKE Hyped OpenSSL vulnerability downgraded to ‘high’ severity