Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#BalCCon
Wonderful
World of
Distributed
SCM:
Opening closed
source code
https://twitter.com/k0st
Vlatko Kosturjak
Agenda
● Not covered
● Philosophical issues
● Finding code
● Old school SCM
● New school SCM
● How to get the source when ...
Disclaimer
● This is a work of pure fiction
● Any resemblance to anyone, living or dead is purely
coincidental
● The chara...
That source control management is
really really great...
● Versioning
● Blame
● Undo
● Collaboration
● Code review
● Sign ...
But...
● ...Have you thought about security
implications?
First rule
● If sensitive
● Don't put source code on internet
● Don't put SCM files on the internet
● Don't put sensitive ...
Search for specific phrase, file,
function or class
● Just google for it! ;)
● Internet does not forget! ;)
● Instructions...
How about configs in repos?
● Software.conf vs Software.conf-dist
● Software.conf
● More dangerous
● Danger of accidentaly...
Search?
● Functions
● odbc_connect
● mysql_connect
● Search engines
● Google
● GitHub
● ...
“Old School”
versioning systems
● RCS
● CVS
● Subversion (SVN)
● ...
CVS
● Concurrent Versions System
● CVS
● Entries
● Entries.Log
● Repository
● Root
● Finding repository source
● Profit if...
What can be extracted?
● Artifacts
● Repository location
● Name of hidden files
– If present in repository
● Repository us...
DVCS-ripper
● Example
● rip-cvs.pl -v -u http://www.example.com
● Nmap
● Nmap –script=cvs-brute www.example.com
● Profit!
Protection
● Make it open source ;)
● Remove SCM files if not needed
● Web server configuration
● Web deployment automatio...
SVN
● Subversion
● .svn
● prop-base
● props
● text-base
● tmp
● entries
● Finding repository source
● Profit if it is Inte...
.svn/entries content
● dir/
● 0
● svn://myprivatecode.com//repo/myweb
● svn://myprivatecode.com//repo/myweb
●
● user
●
SVN client 1.6+
● No more .svn directories all around
● Single .svn (just like git!)
● Different format
● Incompatible, of...
SVN client 1.6+ extraction
● Much easier
● Much faster
● Much robust
● No more problems extracting interpreted files
– Lik...
Protection
● Make it open source ;)
● Remove SCM files if not needed
● Web server configuration
● Web deployment automatio...
Apache (main configuration file)
● 403 – Forbidden – Move along nothing to see
<DirectoryMatch .svn>
Order allow,deny
Deny...
Apache (.htaccess)
● Using mod_rewrite
RewriteEngine On
RewriteRule /.svn /non-existant-404-page
<IfModule autoindex_modul...
“New School”(distributed)
source code management systems
● Git
● Mercurial
● Bazaar
● ...
Git!?
Google Dorks
Want source?
● Get the repo:
mkdir git-test
cd git-test
wget --mirror --include-directories=/.git
http://www.target.com/.g...
Problem
Directory browsing disabled
Git: many ways...
● Find archive of SCM
● Bruteforce SHA1
● Bandwidth
● Time
● Partial SHA1 visible
● different files
● Th...
Zombie mode on
I MUST GET THE SOURCE
I MUST GET THE SOURCE
I MUST GET THE SOURCE
I MUST GET THE SOURCE
I MUST GET THE SOUR...
DVCS-Pillage
● It will rip the .git files when directory browsing
disabled
● By Adam Baldwin
● Accessible from URL:
● http...
Problems...
● Current methods
● Not complete tree download method
– Packed refs
– git ls-files –stage method
● No support ...
Zombie mode on
I MUST GET THE FULL SOURCE
I MUST GET THE FULL SOURCE
I MUST GET THE FULL SOURCE
I MUST GET THE FULL SOURCE...
Back to the drawing board!
RTFM
Solution is...
● RTFM
● git fsck
– it will tell what sha1 are missing
– No partial recovery
● Time to code my own tool
● W...
DVCS-rip
● It will rip the .git files when directory browsing disabled
● It will rip ALL files and checkout repository for...
DVCS-rip
● How to run?
● Example run:
● rip-git.pl -v -u http://www.example.com/.git/
● It will automatically do "git chec...
Protection
● Make it open source ;)
● Remove SCM files if not needed
● Web server configuration
● Web deployment automatio...
Apache (main configuration file)
● 403 – Forbidden – Move along nothing to see
<DirectoryMatch .git>
Order allow,deny
Deny...
Apache (.htaccess)
● Using mod_rewrite
RewriteEngine On
RewriteRule /.git /non-existant-404-page
<IfModule autoindex_modul...
How about others?
● Mercurial
● Bazaar
● Checkout DVCS-Pillage
● It will handle git, hg and bzr
● Accessible from URL:
– h...
No tool available to detect
● Most of the web/network scanners will not find this
● No awareness
● Tools looks only this
●...
Nmap NSE comes to rescue
● Have to use latest Nmap version
● Script is not in 6.01
● It was broken in some previous Nmap v...
Evolving
Good example of open source collaboration between
projects
WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas)
https://github.com/wick2o/gitDigger
Google dorks
● “.git” intitle:”index of”
● “.svn” intitle:”index of”
● “CVS” intitle:”index of”
● “.hg” intitle:”index of”...
Searching for standard interfaces
● Interfaces
● Redmine
● ViewCS
● ViewCVS
● Gitweb
● ...
● Google Dorks
● “Powered by Vi...
Recommendations for developers
● Do not store passwords and API keys on SCM
● Config.php vs config.php-dist
● Do not store...
Recommendations for system
administrators
● Proactively forbid serving all SCM files on web
servers
● Periodical check for...
Recommendations for management
and auditors
● Ask how source code management is done
● Ask what security controls are ther...
References
● https://github.com/evilpacket/DVCS-Pillage
● https://github.com/kost/DVCS-Pillage
● https://github.com/kost/d...
Questions? Comments? Feedbacks?
@k0st
This is zero
Acknowledgements:
Adam Baldwin,
Ron Bowes,
Alex Weber,
...
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Upcoming SlideShare
Loading in …5
×

Wonderful world of (distributed) SCM or VCS

3,488 views

Published on

Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the web.

Published in: Technology
  • Be the first to comment

Wonderful world of (distributed) SCM or VCS

  1. 1. #BalCCon Wonderful World of Distributed SCM: Opening closed source code https://twitter.com/k0st Vlatko Kosturjak
  2. 2. Agenda ● Not covered ● Philosophical issues ● Finding code ● Old school SCM ● New school SCM ● How to get the source when its not open source ● Questions and Answers 75 minutes
  3. 3. Disclaimer ● This is a work of pure fiction ● Any resemblance to anyone, living or dead is purely coincidental ● The characters are fictional and of my own creation ● The place, time and incidents are purely fictional ● I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions! ● Look closer - I'm also virtual! :)
  4. 4. That source control management is really really great... ● Versioning ● Blame ● Undo ● Collaboration ● Code review ● Sign off ● Integration ● ...
  5. 5. But... ● ...Have you thought about security implications?
  6. 6. First rule ● If sensitive ● Don't put source code on internet ● Don't put SCM files on the internet ● Don't put sensitive parts in web root ● Don't... ● Don't... ● Don't...
  7. 7. Search for specific phrase, file, function or class ● Just google for it! ;) ● Internet does not forget! ;) ● Instructions ● Strings <binary> ● Google above @alexsotirov on 4th of Jul 2010: It's amazing what you can find on random Chinese sites if you start googling internal strings from closed- source applications
  8. 8. How about configs in repos? ● Software.conf vs Software.conf-dist ● Software.conf ● More dangerous ● Danger of accidentaly commiting sensitive info ● Software.conf-dist ● Less dangerous ● Still watchout wildcards “*”
  9. 9. Search? ● Functions ● odbc_connect ● mysql_connect ● Search engines ● Google ● GitHub ● ...
  10. 10. “Old School” versioning systems ● RCS ● CVS ● Subversion (SVN) ● ...
  11. 11. CVS ● Concurrent Versions System ● CVS ● Entries ● Entries.Log ● Repository ● Root ● Finding repository source ● Profit if it is Internet accessible
  12. 12. What can be extracted? ● Artifacts ● Repository location ● Name of hidden files – If present in repository ● Repository user ● Just enough for password guessing if online
  13. 13. DVCS-ripper ● Example ● rip-cvs.pl -v -u http://www.example.com ● Nmap ● Nmap –script=cvs-brute www.example.com ● Profit!
  14. 14. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  15. 15. SVN ● Subversion ● .svn ● prop-base ● props ● text-base ● tmp ● entries ● Finding repository source ● Profit if it is Internet accessible ● Sensitive files ● Extraction of whole tree possible
  16. 16. .svn/entries content ● dir/ ● 0 ● svn://myprivatecode.com//repo/myweb ● svn://myprivatecode.com//repo/myweb ● ● user ●
  17. 17. SVN client 1.6+ ● No more .svn directories all around ● Single .svn (just like git!) ● Different format ● Incompatible, of course ;) ● Different files ● wc.db – SQLite database
  18. 18. SVN client 1.6+ extraction ● Much easier ● Much faster ● Much robust ● No more problems extracting interpreted files – Like PHP ● Thank you SVN developers! ;)
  19. 19. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  20. 20. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .svn> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .svn /non-existant-page
  21. 21. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.svn /non-existant-404-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
  22. 22. “New School”(distributed) source code management systems ● Git ● Mercurial ● Bazaar ● ...
  23. 23. Git!?
  24. 24. Google Dorks
  25. 25. Want source? ● Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ● Get files cd www.target.com git reset --hard ● Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
  26. 26. Problem Directory browsing disabled
  27. 27. Git: many ways... ● Find archive of SCM ● Bruteforce SHA1 ● Bandwidth ● Time ● Partial SHA1 visible ● different files ● There must be the way...
  28. 28. Zombie mode on I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE …
  29. 29. DVCS-Pillage ● It will rip the .git files when directory browsing disabled ● By Adam Baldwin ● Accessible from URL: ● https://github.com/evilpacket/DVCS-Pillage ● Have few problems ● Hmm...
  30. 30. Problems... ● Current methods ● Not complete tree download method – Packed refs – git ls-files –stage method ● No support for branches ● No support for other than http ● Slooow... ● Hmmm ● Want whole tree / files ● Branches ● Support old protocols ● Bruteforcing not feasable
  31. 31. Zombie mode on I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE ...
  32. 32. Back to the drawing board! RTFM
  33. 33. Solution is... ● RTFM ● git fsck – it will tell what sha1 are missing – No partial recovery ● Time to code my own tool ● Want whole tree ● Branches ● Support all protocols ● FAST!!
  34. 34. DVCS-rip ● It will rip the .git files when directory browsing disabled ● It will rip ALL files and checkout repository for you ● Not partial ● git fsck trick ● Support for ● Branches ● Any protocol (http/https/...) ● Accessible from URL: ● https://github.com/kost/dvcs-ripper
  35. 35. DVCS-rip ● How to run? ● Example run: ● rip-git.pl -v -u http://www.example.com/.git/ ● It will automatically do "git checkout -f" ● Profit!
  36. 36. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  37. 37. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .git> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .git /non-existant-page
  38. 38. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.git /non-existant-404-page <IfModule autoindex_module> IndexIgnore .git </IfModule>
  39. 39. How about others? ● Mercurial ● Bazaar ● Checkout DVCS-Pillage ● It will handle git, hg and bzr ● Accessible from URL: – https://github.com/evilpacket/DVCS-Pillage
  40. 40. No tool available to detect ● Most of the web/network scanners will not find this ● No awareness ● Tools looks only this ● .git/ => 403 ● They should actually look ● .git/logs/HEAD => 200 ● .git/config => 200 ● .git/index => 200 ● ...
  41. 41. Nmap NSE comes to rescue ● Have to use latest Nmap version ● Script is not in 6.01 ● It was broken in some previous Nmap versions ● It looks all relevant git files ● .git/logs/HEAD ● .git/config ● ... ● nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
  42. 42. Evolving Good example of open source collaboration between projects
  43. 43. WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas) https://github.com/wick2o/gitDigger
  44. 44. Google dorks ● “.git” intitle:”index of” ● “.svn” intitle:”index of” ● “CVS” intitle:”index of” ● “.hg” intitle:”index of” ● “.bzr” intitle:”index of” ● … (I guess you got idea already)...
  45. 45. Searching for standard interfaces ● Interfaces ● Redmine ● ViewCS ● ViewCVS ● Gitweb ● ... ● Google Dorks ● “Powered by ViewCS” ● Bing as well...
  46. 46. Recommendations for developers ● Do not store passwords and API keys on SCM ● Config.php vs config.php-dist ● Do not store sensitive info on SCM ● Separate test and production data ● Being paranoid is good feeling
  47. 47. Recommendations for system administrators ● Proactively forbid serving all SCM files on web servers ● Periodical check for standard directories of SCMs, i.e.: ● find /web -name .svn ● find /web -name .git ● wget http://www.site.com/svn/ ● Is there any need to have source code available at all?
  48. 48. Recommendations for management and auditors ● Ask how source code management is done ● Ask what security controls are there to protect source code ● What controls are there to protect source code leaks? ● What controls are there to protect passwords and keys leaks? ● What controls are there to protect sensitive information in source code and configurations?
  49. 49. References ● https://github.com/evilpacket/DVCS-Pillage ● https://github.com/kost/DVCS-Pillage ● https://github.com/kost/dvcs-ripper ● https://github.com/anantshri/svn-extractor ● http://blog.anantshri.info/svn-extractor-for-web-pentesters/ ● http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive ● http://www.cirt.net/svnpristine ● http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment- page-1/ ● http://nmap.org/nsedoc/scripts/cvs-brute-repository.html ● http://nmap.org/nsedoc/scripts/cvs-brute.html ● http://nmap.org/nsedoc/scripts/http-git.html
  50. 50. Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...

×