Light Dark
January 12, 2017 By Larry Loeb 2 min read

A proof of concept (PoC) enables security researchers to make their point, in code, about an exploit. By showing how a particular code might execute, researchers can illuminate the underlying root cause of a situation.

Unfortunately, malware authors can also create a PoC exploit as the basis of weaponized code to carry out an attack. This week, a gang of cybercrooks did just that.

Sundown Develops PoC Exploit

Threatpost reported that a PoC developed by Texas-based security research firm Theori has been used in the Sundown exploit kit (EK). The PoC exposed two vulnerabilities found in the Microsoft Edge browser.

Although Microsoft patched these specific vulnerabilities in November, researchers spotted code in Sundown using the PoCs only two days after they were made public. Interestingly, this was the first change in Sundown’s overall code that researchers had witnessed in over six months, Threatpost noted.

Theori found vulnerabilities in the Chakra JavaScript engine, which has been around since Internet Explorer 9. The PoC showed how the engine can trigger an information leak, which then leads to remote code execution (RCE). The Sundown EK uses this RCE exploit to drop its malicious payload.

More PoC Problems

Unfortunately for security research, a well-intentioned PoC may also highlight vulnerabilities that were not part of its initial focus. One such PoC from Laurent Gaffié, for example, was looking at a distributed denial-of-service (DoS) vulnerability in Local Security Authority Subsystem Service (LSASS), which enforced Windows security policy. SecurityWeek noted that this might cause the system to become unresponsive if sent specially crafted requests.

Even though a patch was released for this vulnerability in November, the story didn’t end there. Nicolas Economou, a security researcher from Core Security, discovered that a similar problem was actually being triggered by the exploit. He was understandably confused as to why the DDoS PoC was not working as intentioned on a Windows 10 system.

“There was a misunderstanding here about the vulnerability,” Economou wrote, “because, according to the PoC released by Laurent Gaffié, the problem wasn’t in the structure pointer, but rather in one field of the CRITICAL_SECTION object pointed by this structure, which is null when the huge allocation fails.”

This analysis prompted Microsoft to release a new security bulletin, which included a patch for the affected systems.

 |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

February 14, 2025

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature