Your SlideShare is downloading. ×
0
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wonderful world of (distributed) SCM or VCS

2,481

Published on

Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the …

Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the web.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,481
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. #BalCCon Wonderful World of Distributed SCM: Opening closed source code https://twitter.com/k0st Vlatko Kosturjak
  • 2. Agenda ● Not covered ● Philosophical issues ● Finding code ● Old school SCM ● New school SCM ● How to get the source when its not open source ● Questions and Answers 75 minutes
  • 3. Disclaimer ● This is a work of pure fiction ● Any resemblance to anyone, living or dead is purely coincidental ● The characters are fictional and of my own creation ● The place, time and incidents are purely fictional ● I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions! ● Look closer - I'm also virtual! :)
  • 4. That source control management is really really great... ● Versioning ● Blame ● Undo ● Collaboration ● Code review ● Sign off ● Integration ● ...
  • 5. But... ● ...Have you thought about security implications?
  • 6. First rule ● If sensitive ● Don't put source code on internet ● Don't put SCM files on the internet ● Don't put sensitive parts in web root ● Don't... ● Don't... ● Don't...
  • 7. Search for specific phrase, file, function or class ● Just google for it! ;) ● Internet does not forget! ;) ● Instructions ● Strings <binary> ● Google above @alexsotirov on 4th of Jul 2010: It's amazing what you can find on random Chinese sites if you start googling internal strings from closed- source applications
  • 8. How about configs in repos? ● Software.conf vs Software.conf-dist ● Software.conf ● More dangerous ● Danger of accidentaly commiting sensitive info ● Software.conf-dist ● Less dangerous ● Still watchout wildcards “*”
  • 9. Search? ● Functions ● odbc_connect ● mysql_connect ● Search engines ● Google ● GitHub ● ...
  • 10. “Old School” versioning systems ● RCS ● CVS ● Subversion (SVN) ● ...
  • 11. CVS ● Concurrent Versions System ● CVS ● Entries ● Entries.Log ● Repository ● Root ● Finding repository source ● Profit if it is Internet accessible
  • 12. What can be extracted? ● Artifacts ● Repository location ● Name of hidden files – If present in repository ● Repository user ● Just enough for password guessing if online
  • 13. DVCS-ripper ● Example ● rip-cvs.pl -v -u http://www.example.com ● Nmap ● Nmap –script=cvs-brute www.example.com ● Profit!
  • 14. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 15. SVN ● Subversion ● .svn ● prop-base ● props ● text-base ● tmp ● entries ● Finding repository source ● Profit if it is Internet accessible ● Sensitive files ● Extraction of whole tree possible
  • 16. .svn/entries content ● dir/ ● 0 ● svn://myprivatecode.com//repo/myweb ● svn://myprivatecode.com//repo/myweb ● ● user ●
  • 17. SVN client 1.6+ ● No more .svn directories all around ● Single .svn (just like git!) ● Different format ● Incompatible, of course ;) ● Different files ● wc.db – SQLite database
  • 18. SVN client 1.6+ extraction ● Much easier ● Much faster ● Much robust ● No more problems extracting interpreted files – Like PHP ● Thank you SVN developers! ;)
  • 19. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 20. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .svn> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .svn /non-existant-page
  • 21. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.svn /non-existant-404-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
  • 22. “New School”(distributed) source code management systems ● Git ● Mercurial ● Bazaar ● ...
  • 23. Git!?
  • 24. Google Dorks
  • 25. Want source? ● Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ● Get files cd www.target.com git reset --hard ● Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
  • 26. Problem Directory browsing disabled
  • 27. Git: many ways... ● Find archive of SCM ● Bruteforce SHA1 ● Bandwidth ● Time ● Partial SHA1 visible ● different files ● There must be the way...
  • 28. Zombie mode on I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE …
  • 29. DVCS-Pillage ● It will rip the .git files when directory browsing disabled ● By Adam Baldwin ● Accessible from URL: ● https://github.com/evilpacket/DVCS-Pillage ● Have few problems ● Hmm...
  • 30. Problems... ● Current methods ● Not complete tree download method – Packed refs – git ls-files –stage method ● No support for branches ● No support for other than http ● Slooow... ● Hmmm ● Want whole tree / files ● Branches ● Support old protocols ● Bruteforcing not feasable
  • 31. Zombie mode on I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE ...
  • 32. Back to the drawing board! RTFM
  • 33. Solution is... ● RTFM ● git fsck – it will tell what sha1 are missing – No partial recovery ● Time to code my own tool ● Want whole tree ● Branches ● Support all protocols ● FAST!!
  • 34. DVCS-rip ● It will rip the .git files when directory browsing disabled ● It will rip ALL files and checkout repository for you ● Not partial ● git fsck trick ● Support for ● Branches ● Any protocol (http/https/...) ● Accessible from URL: ● https://github.com/kost/dvcs-ripper
  • 35. DVCS-rip ● How to run? ● Example run: ● rip-git.pl -v -u http://www.example.com/.git/ ● It will automatically do "git checkout -f" ● Profit!
  • 36. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 37. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .git> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .git /non-existant-page
  • 38. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.git /non-existant-404-page <IfModule autoindex_module> IndexIgnore .git </IfModule>
  • 39. How about others? ● Mercurial ● Bazaar ● Checkout DVCS-Pillage ● It will handle git, hg and bzr ● Accessible from URL: – https://github.com/evilpacket/DVCS-Pillage
  • 40. No tool available to detect ● Most of the web/network scanners will not find this ● No awareness ● Tools looks only this ● .git/ => 403 ● They should actually look ● .git/logs/HEAD => 200 ● .git/config => 200 ● .git/index => 200 ● ...
  • 41. Nmap NSE comes to rescue ● Have to use latest Nmap version ● Script is not in 6.01 ● It was broken in some previous Nmap versions ● It looks all relevant git files ● .git/logs/HEAD ● .git/config ● ... ● nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
  • 42. Evolving Good example of open source collaboration between projects
  • 43. WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas) https://github.com/wick2o/gitDigger
  • 44. Google dorks ● “.git” intitle:”index of” ● “.svn” intitle:”index of” ● “CVS” intitle:”index of” ● “.hg” intitle:”index of” ● “.bzr” intitle:”index of” ● … (I guess you got idea already)...
  • 45. Searching for standard interfaces ● Interfaces ● Redmine ● ViewCS ● ViewCVS ● Gitweb ● ... ● Google Dorks ● “Powered by ViewCS” ● Bing as well...
  • 46. Recommendations for developers ● Do not store passwords and API keys on SCM ● Config.php vs config.php-dist ● Do not store sensitive info on SCM ● Separate test and production data ● Being paranoid is good feeling
  • 47. Recommendations for system administrators ● Proactively forbid serving all SCM files on web servers ● Periodical check for standard directories of SCMs, i.e.: ● find /web -name .svn ● find /web -name .git ● wget http://www.site.com/svn/ ● Is there any need to have source code available at all?
  • 48. Recommendations for management and auditors ● Ask how source code management is done ● Ask what security controls are there to protect source code ● What controls are there to protect source code leaks? ● What controls are there to protect passwords and keys leaks? ● What controls are there to protect sensitive information in source code and configurations?
  • 49. References ● https://github.com/evilpacket/DVCS-Pillage ● https://github.com/kost/DVCS-Pillage ● https://github.com/kost/dvcs-ripper ● https://github.com/anantshri/svn-extractor ● http://blog.anantshri.info/svn-extractor-for-web-pentesters/ ● http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive ● http://www.cirt.net/svnpristine ● http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment- page-1/ ● http://nmap.org/nsedoc/scripts/cvs-brute-repository.html ● http://nmap.org/nsedoc/scripts/cvs-brute.html ● http://nmap.org/nsedoc/scripts/http-git.html
  • 50. Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...

×