Stats & Trends
David Bisson
Sep 2018

From PoC to Pwned: New Exploits Appear in Attacks Just Days After Disclosure


Two recent examples show digital attackers waste no time in leveraging PoCs for software vulnerabilities.

Recently, I  identified five Microsoft Office vulnerabilities from 2017 and 2018 that helped fuel an ongoing wave of attack campaigns. The security weaknesses were zero-days at the time of their discovery, meaning malefactors had plenty of time to write exploit code and incorporate it into their attack campaigns. Microsoft subsequently patched the bugs, but those fixes haven’t stopped attackers from abusing the flaws anyway.

Of course, digital attackers can also be more opportunistic. Sometimes, they merely craft exploit code based on a proof-of-concepts (PoC) released by researchers.

Trend Micro defines a proof-of-concept threat as "the earliest implementation of a threat and usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities." Under responsible disclosure, security researchers privately provide a working PoC of a newly discovered vulnerability to a security vendor. This means of disclosure enables the company to develop a patch and time its public release with the researcher’s publication of the flaw.

But disclosure doesn’t always work like this. For various reasons, security researchers sometimes decide to publicly announce their PoC without the cooperation of the affected security vendor. The public disclosure of a PoC immediately puts pressure on the vendor to develop a patch and for organizations to protect themselves either with an official fix or with mitigation steps. It also spurs digital attackers to incorporate the PoC into attack campaigns and leverage it against as many users as possible before a patch is released. Unfortunately, it doesn’t usually take long for nefarious individuals to incorporate a PoC into their attacks. This holds true even when multiple PoCs are disclosed around the same time.

Don’t believe me? Provided below is the story of two PoCs that came out just a couple days apart from one another and how digital attackers jumped on these disclosures to launch new attack campaigns.

CVE-2018-11776: RCE vulnerability for Apache Struts

On 22 August, the Apache Software Foundation revealed a vulnerability in Apache Struts, an open source platform used for developing web applications in Java. Discovered by Semmle security researcher Man Yue Mo, the flaw (CVE-2018-11776) enables bad actors to perform a remote code execution (RCE) attack when dealing with results that lack a namespace value, upper configurations that lack or have a wildcard namespace or url tags that don’t have their value and action set. The bug affected all supported versions of Apache Struts 2.

Man Yue Mo disclosed the vulnerability on the same day that the Apache Software Foundation deployed fixes in Apache Struts versions 2.3.35 or 2.5.17. This gave admins an opportunity to implement the fixes or mitigate the vulnerabilities by setting namespace for their defined results in all configurations and value and action for URL tags.

It didn’t give them too much time, however.

On 24 August, a PoC for the flaw made its way onto a GitHub repository. It was then just a few days later that Volexity observed the first few attempts by attackers to break into vulnerable Apache Struts versions and download a cryptocurrency miner onto the underlying server. Those early attacks were small in scale and did not resort to indiscriminate exploitation. As noted by Palto Alto Networks, this could be because Struts apps in their default configs are not vulnerable to CVE-2018-11776, which makes the effort to attack not worthwhile for many criminals. Nevertheless, that didn’t stop bad actors from jumping on the PoC and from scanning for older vulnerabilities in Apache Struts.

CVE-2018-8440: Local Windows ALPC Privilege Escalation Vulnerability

On 27 August, researcher SandboxEscaper tweeted out a local privilege escalation exploit for Windows (her Twitter profile is no longer live at the time of this writing). She also uploaded a PoC to her GitHub repository.

Information security expert Kevin Beaumont subsequently took a look at the PoC and uploaded it to GitHub himself for easier analysis. His examination and SandboxEscaper's original description traced the flaw to Advanced Local Procedure Call (ALPC), an interface through which a local user can obtain system privileges:

_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this [sic].

What makes this vulnerability troubling is the fact that _SchRpcSetSecurity doesn’t check for permissions, which allows even guests to call it and set file permissions on anything locally. With elevated privileges, a local attacker can do loads of bad things.

On 30 August, Acros Security published a micropatch that prevented exploitation of the zero-day. Microsoft followed up with an official patch for the flaw in its September Patch Tuesday updates released on September 11, but not before a variation of the PoC exploit code was spotted being used in targeted attack campaigns just two days following SandboxEscaper’s initial tweet.

Not an Unusual Case

Two PoCs coming out within days of one another and being immediately incorporated into attack campaigns isn’t exceptional. To stay abreast of these disclosures and protect themselves against opportunist attackers, infosec personnel should use threat intelligence and other means to stay informed of the latest PoCs that introduce risk into their organizations. They should then prioritize the weaknesses that these PoCs abuse, create a dynamic patching schedule, and implement security best practices to keep their organizations safe. 

Want to stay up-to-date on the latest threats? Subscribe to the Barkly blog.

David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.


Barkly protects companies from the latest exploits and attacks

Stop paying for AV. Get the strongest protection instead. See how Barkly blocks the newest attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.