Wonderful world of (distributed) SCM or VCS

2,763
-1

Published on

Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the web.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,763
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Wonderful world of (distributed) SCM or VCS

  1. 1. #BalCCon Wonderful World of Distributed SCM: Opening closed source code https://twitter.com/k0st Vlatko Kosturjak
  2. 2. Agenda ● Not covered ● Philosophical issues ● Finding code ● Old school SCM ● New school SCM ● How to get the source when its not open source ● Questions and Answers 75 minutes
  3. 3. Disclaimer ● This is a work of pure fiction ● Any resemblance to anyone, living or dead is purely coincidental ● The characters are fictional and of my own creation ● The place, time and incidents are purely fictional ● I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions! ● Look closer - I'm also virtual! :)
  4. 4. That source control management is really really great... ● Versioning ● Blame ● Undo ● Collaboration ● Code review ● Sign off ● Integration ● ...
  5. 5. But... ● ...Have you thought about security implications?
  6. 6. First rule ● If sensitive ● Don't put source code on internet ● Don't put SCM files on the internet ● Don't put sensitive parts in web root ● Don't... ● Don't... ● Don't...
  7. 7. Search for specific phrase, file, function or class ● Just google for it! ;) ● Internet does not forget! ;) ● Instructions ● Strings <binary> ● Google above @alexsotirov on 4th of Jul 2010: It's amazing what you can find on random Chinese sites if you start googling internal strings from closed- source applications
  8. 8. How about configs in repos? ● Software.conf vs Software.conf-dist ● Software.conf ● More dangerous ● Danger of accidentaly commiting sensitive info ● Software.conf-dist ● Less dangerous ● Still watchout wildcards “*”
  9. 9. Search? ● Functions ● odbc_connect ● mysql_connect ● Search engines ● Google ● GitHub ● ...
  10. 10. “Old School” versioning systems ● RCS ● CVS ● Subversion (SVN) ● ...
  11. 11. CVS ● Concurrent Versions System ● CVS ● Entries ● Entries.Log ● Repository ● Root ● Finding repository source ● Profit if it is Internet accessible
  12. 12. What can be extracted? ● Artifacts ● Repository location ● Name of hidden files – If present in repository ● Repository user ● Just enough for password guessing if online
  13. 13. DVCS-ripper ● Example ● rip-cvs.pl -v -u http://www.example.com ● Nmap ● Nmap –script=cvs-brute www.example.com ● Profit!
  14. 14. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  15. 15. SVN ● Subversion ● .svn ● prop-base ● props ● text-base ● tmp ● entries ● Finding repository source ● Profit if it is Internet accessible ● Sensitive files ● Extraction of whole tree possible
  16. 16. .svn/entries content ● dir/ ● 0 ● svn://myprivatecode.com//repo/myweb ● svn://myprivatecode.com//repo/myweb ● ● user ●
  17. 17. SVN client 1.6+ ● No more .svn directories all around ● Single .svn (just like git!) ● Different format ● Incompatible, of course ;) ● Different files ● wc.db – SQLite database
  18. 18. SVN client 1.6+ extraction ● Much easier ● Much faster ● Much robust ● No more problems extracting interpreted files – Like PHP ● Thank you SVN developers! ;)
  19. 19. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  20. 20. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .svn> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .svn /non-existant-page
  21. 21. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.svn /non-existant-404-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
  22. 22. “New School”(distributed) source code management systems ● Git ● Mercurial ● Bazaar ● ...
  23. 23. Git!?
  24. 24. Google Dorks
  25. 25. Want source? ● Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ● Get files cd www.target.com git reset --hard ● Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
  26. 26. Problem Directory browsing disabled
  27. 27. Git: many ways... ● Find archive of SCM ● Bruteforce SHA1 ● Bandwidth ● Time ● Partial SHA1 visible ● different files ● There must be the way...
  28. 28. Zombie mode on I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE …
  29. 29. DVCS-Pillage ● It will rip the .git files when directory browsing disabled ● By Adam Baldwin ● Accessible from URL: ● https://github.com/evilpacket/DVCS-Pillage ● Have few problems ● Hmm...
  30. 30. Problems... ● Current methods ● Not complete tree download method – Packed refs – git ls-files –stage method ● No support for branches ● No support for other than http ● Slooow... ● Hmmm ● Want whole tree / files ● Branches ● Support old protocols ● Bruteforcing not feasable
  31. 31. Zombie mode on I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE ...
  32. 32. Back to the drawing board! RTFM
  33. 33. Solution is... ● RTFM ● git fsck – it will tell what sha1 are missing – No partial recovery ● Time to code my own tool ● Want whole tree ● Branches ● Support all protocols ● FAST!!
  34. 34. DVCS-rip ● It will rip the .git files when directory browsing disabled ● It will rip ALL files and checkout repository for you ● Not partial ● git fsck trick ● Support for ● Branches ● Any protocol (http/https/...) ● Accessible from URL: ● https://github.com/kost/dvcs-ripper
  35. 35. DVCS-rip ● How to run? ● Example run: ● rip-git.pl -v -u http://www.example.com/.git/ ● It will automatically do "git checkout -f" ● Profit!
  36. 36. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  37. 37. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .git> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .git /non-existant-page
  38. 38. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.git /non-existant-404-page <IfModule autoindex_module> IndexIgnore .git </IfModule>
  39. 39. How about others? ● Mercurial ● Bazaar ● Checkout DVCS-Pillage ● It will handle git, hg and bzr ● Accessible from URL: – https://github.com/evilpacket/DVCS-Pillage
  40. 40. No tool available to detect ● Most of the web/network scanners will not find this ● No awareness ● Tools looks only this ● .git/ => 403 ● They should actually look ● .git/logs/HEAD => 200 ● .git/config => 200 ● .git/index => 200 ● ...
  41. 41. Nmap NSE comes to rescue ● Have to use latest Nmap version ● Script is not in 6.01 ● It was broken in some previous Nmap versions ● It looks all relevant git files ● .git/logs/HEAD ● .git/config ● ... ● nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
  42. 42. Evolving Good example of open source collaboration between projects
  43. 43. WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas) https://github.com/wick2o/gitDigger
  44. 44. Google dorks ● “.git” intitle:”index of” ● “.svn” intitle:”index of” ● “CVS” intitle:”index of” ● “.hg” intitle:”index of” ● “.bzr” intitle:”index of” ● … (I guess you got idea already)...
  45. 45. Searching for standard interfaces ● Interfaces ● Redmine ● ViewCS ● ViewCVS ● Gitweb ● ... ● Google Dorks ● “Powered by ViewCS” ● Bing as well...
  46. 46. Recommendations for developers ● Do not store passwords and API keys on SCM ● Config.php vs config.php-dist ● Do not store sensitive info on SCM ● Separate test and production data ● Being paranoid is good feeling
  47. 47. Recommendations for system administrators ● Proactively forbid serving all SCM files on web servers ● Periodical check for standard directories of SCMs, i.e.: ● find /web -name .svn ● find /web -name .git ● wget http://www.site.com/svn/ ● Is there any need to have source code available at all?
  48. 48. Recommendations for management and auditors ● Ask how source code management is done ● Ask what security controls are there to protect source code ● What controls are there to protect source code leaks? ● What controls are there to protect passwords and keys leaks? ● What controls are there to protect sensitive information in source code and configurations?
  49. 49. References ● https://github.com/evilpacket/DVCS-Pillage ● https://github.com/kost/DVCS-Pillage ● https://github.com/kost/dvcs-ripper ● https://github.com/anantshri/svn-extractor ● http://blog.anantshri.info/svn-extractor-for-web-pentesters/ ● http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive ● http://www.cirt.net/svnpristine ● http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment- page-1/ ● http://nmap.org/nsedoc/scripts/cvs-brute-repository.html ● http://nmap.org/nsedoc/scripts/cvs-brute.html ● http://nmap.org/nsedoc/scripts/http-git.html
  50. 50. Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×