Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRAVEX: Collect and normalize exploit pointers #95

Open
2 of 4 tasks
pombredanne opened this issue Sep 26, 2019 · 12 comments
Open
2 of 4 tasks

CRAVEX: Collect and normalize exploit pointers #95

pombredanne opened this issue Sep 26, 2019 · 12 comments
Assignees
@DennisClark @ziadhany
Labels
Data collection

Comments

@pombredanne
Copy link
Member

pombredanne commented Sep 26, 2019
edited by ziadhany
Loading

We want to collect data about exploits.

See discussion document at https://docs.google.com/document/d/1XtMmxthmANhr-IqXsyMgFnrOq5fTGfsE/edit?usp=sharing&ouid=117241222429542576816&rtpof=true&sd=true

See work-in-progress normalized model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing
@armijnhemel
Copy link
Contributor

exploitdb has moved to https://gitlab.com/exploit-database/exploitdb

@pombredanne
Copy link
Member Author

This is a nice dataset:

Also:

@pombredanne
Copy link
Member Author

And also https://github.com/nomi-sec/PoC-in-GitHub

@ahouseholder
Copy link

We're tagging vul IDs (more than just CVE) at

We pull updates from their respective repositories every few hours, crawl the diffs for IDs we recognize, and then tag the commit in which the ID first appeared.

The ID patterns we look for are here:
https://github.com/CERTCC/git_vul_driller/blob/dd49cec61aac5ee9e84d57313a7876145e0b1522/git_vul_driller/patterns.py#L15-L56

@ahouseholder
Copy link

ahouseholder commented Jul 21, 2023
edited
Loading

Just to set expectations on data quality: Please be aware of the notes about signal-to-noise in the Labyrinth README. An ID that shows up in Labyrinth might be because there's an exploit repo that mentions it, or it could be a number of other relatively benign reasons because our code isn't smart enough to tell the difference. Labyrinth's findings are meant to serve as input to an analysis process, not a production exploit feed.

@ahouseholder
Copy link

On the other hand, we're more confident about the exploitdb/metasploit tags indicating exploits because there's a human vetting process involved (i.e., their developers decide what to include in their product).

@pombredanne
Copy link
Member Author

@ahouseholder Thank you for the valuable insights. In the end, I want to know if my code is vulnerable. So the idea here with exploits is this, inc combination with reachability:

  1. Using scancode to detect packages (PURL) or any of the many other tools that use PURLs and a lookup in VulnerableCode or in any other vulnerability DB that uses PURL I know I am potentially vulnerable
  2. The I would like to automate as much as possible things to find out if my usage of the vulnerable package is exploitable. For this there are two tracks that I think can help:
    2.1. Static reachability: given knowledge of a fix commit and a static analysis of the vulnerable library interaction with my code, do I use any of the vulnerable code paths?
    2.2. Dynamic exploitability: given an exploit script (eventually curated to conform to a common interface and setup), is my configuration exploitable?

And if I am either exploitable or the vulnerable code is reachable, then I need to patch (possibly with the fix commit)

@armijnhemel
Copy link
Contributor

Related: #655

@TG1999 TG1999 added this to the v34.0.0 milestone Oct 2, 2023
@TG1999 TG1999 removed this from the v34.0.0 milestone Jan 30, 2024
@pombredanne pombredanne changed the title Collect exploit pointers? Collect exploit pointers Apr 5, 2024
@DennisClark DennisClark self-assigned this Aug 2, 2024
@DennisClark
Copy link
Member

See discussion document at https://docs.google.com/document/d/1XtMmxthmANhr-IqXsyMgFnrOq5fTGfsE/edit?usp=sharing&ouid=117241222429542576816&rtpof=true&sd=true

See work-in-progress normalized model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing

@TG1999 TG1999 added the 9-next label Aug 6, 2024
@DennisClark
Copy link
Member

DennisClark commented Aug 15, 2024
edited
Loading

The proposed normalized Exploits model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing is ready for review.

@DennisClark DennisClark changed the title Collect exploit pointers CRAVEX: Collect and normalize exploit pointers Aug 15, 2024
@DennisClark
Copy link
Member

The proposed normalized Exploits model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing has been reviewed and ready for implementation.

@ziadhany ziadhany mentioned this issue Aug 20, 2024
Merged
@ziadhany
Copy link
Collaborator

@DennisClark I’ve been working on the Exploit model but encountered a few challenges:

  • The resources_and_notes in Metasploit is a set of options like this:
"notes": {
  "AKA": ["Zerologon"],
  "Stability": ["crash-safe"],
  "Reliability": [],
  "SideEffects": ["config-changes", "ioc-in-logs"]
}

should we store it as a JSON or just a string?

  • I'm also unsure about what should be stored in source_url for Metasploit, as references can include multiple URLs. Any guidance on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DennisClark DennisClark

@ziadhany ziadhany

Labels
Data collection
Projects
03-CRAVEX
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pombredanne @ahouseholder @DennisClark @armijnhemel @ziadhany @TG1999