Closed attritionorg closed 3 years ago
grutz
commented
3 years ago This was taken direct from a CANVAS release directly: <CANVASExploitPack date="Fri Jul 5 11:03:08 2013" name="White_Phosphorus">. Any errors would have been from upstream/Immunity at the time.
Note that Kavsir has effectively been a project in stasis for quite some time so its data sources are frozen in time.
attritionorg
commented
3 years ago I talked to someone at Immunity who doesn't think this list came from them or CANVAS, despite that heading. Taking one example from the file:
But pulling it directly from the CANVAS feed:
Can see the second one has the correct CVE ID. I'm almost done going through the file and have identifed over 40 of these with the wrong CVE ID. It's hard to imagine that Immunity got that many wrong as they are usually more meticulous than that. There are at least five IDs that don't carry the CVE- prefix and one that carries an extraneous " - ".
So it suggests this file was put together by someone that tried to manipulate it in some way and injected these errors. A vast majority of the incorrect CVE issues are where it was originally a 2007 ID that got changed to 2019. But there are ones that should be 2008 and 2011 that are wrong, and the substitute years are 2016, 2019, and 2020. But I can't discern a pattern for them either.
Are you saying that you personally took this file from CANVAS, or a project contributor did? I know you imported it into this repository as part of Kvasir 1.0.0 but that doesn't tell me if you generated the file. Anyway, just trying to figure this out as a point of academic curiosity. Thanks!
attritionorg
commented
3 years ago So I need to apologize, I made a really bad assumption!
https://drive.google.com/file/d/10l4oC9rmbdz4CbXwDukMk1gG5yANFdcY/view
This was the copy I originally found, and then when searching out parts I found the copy here. But I didn't then compare them fully and now I see that copy has most or all of the errors I am seeing. So for now please disregard this while I poke around more. I am still curious if you directly got the info from CANVAS, but again, just academic curiosity. =)
Thanks!
grutz
commented
3 years ago I went into my time machine of old drives to rebuild memory lane. After getting sucked into many happy and unhappy times I did come across a unique function in a CANVAS distribution called write_xml_exploits:
doc = xml.dom.minidom.Document()
exploit_pack_list = doc.createElement("ExploitPackList")
doc.appendChild(exploit_pack_list)So you can just load up your copy of CANVAS and run canvasengine.py -e to generate a list of exploits. Or visit http://exploitlist.immunityinc.com/home/serve/live (still active) which I forgot was linked to in the Kvasir wiki (it's really be a very long time...)
See also:
😝 Case solved! Any errors were those of ImmunitySec!
attritionorg
commented
3 years ago Outstanding. I am 99.99% sure the errors weren't at Immunity, rather whoever mangled the copy on that Google Drive link. But this is extremely useful information on how to generate such a list, especially since it will dump the plugins from any third-party integrations (e.g. White Phosophrous, D2, and presumably GLEG's plugins).
Thanks for taking the time to help figure this out, very much appreciated.
https://github.com/KvasirSecurity/Kvasir/blob/master/static/etc/canvas_exploits.xml
What is the provenance of this information? There are a few dozen entries in this list that do not have the correct CVE ID associated with them.