#BalCCon

Wonderful World of Distributed SCM:Opening closed source code

https://twitter.com/k0st

Vlatko Kosturjak

Agenda

Not coveredPhilosophical issues

Finding code

Old school SCM

New school SCM

How to get the source when its not open source

Questions and Answers

75 minutes

Disclaimer

This is a work of pure fiction

Any resemblance to anyone, living or dead is purely coincidental

The characters are fictional and of my own creation

The place, time and incidents are purely fictional

I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions!

Look closer - I'm also virtual! :)

That source control management is really really great...

Versioning

Blame

Undo

Collaboration

Code review

Sign off

Integration

...

But...

...Have you thought about security implications?

First rule

If sensitiveDon't put source code on internet

Don't put SCM files on the internet

Don't put sensitive parts in web root

Don't...

Don't...

Don't...

Search for specific phrase, file, function or class

Just google for it! ;)

Internet does not forget! ;)

InstructionsStrings

Google above

@alexsotirov on 4th of Jul 2010:It's amazing what you can find on random Chinese sites if you start googling internal strings from closed-source applications

How about configs in repos?

Software.conf vs Software.conf-dist

Software.confMore dangerous

Danger of accidentaly commiting sensitive info

Software.conf-distLess dangerous

Still watchout wildcards *

Search?

Functionsodbc_connect

mysql_connect

Search enginesGoogle

GitHub

...

Old School
versioning systems

RCS

CVS

Subversion (SVN)

...

CVS

Concurrent Versions System

CVSEntries

Entries.Log

Repository

Root

Finding repository sourceProfit if it is Internet accessible

What can be extracted?

ArtifactsRepository location

Name of hidden filesIf present in repository

Repository user

Just enough for password guessing if online

DVCS-ripper

Examplerip-cvs.pl -v -u http://www.example.com

NmapNmap script=cvs-brute www.example.com

Profit!

Protection

Make it open source ;)

Remove SCM files if not needed

Web server configuration

Web deployment automation controls

...

SVN

Subversion

.svnprop-base

props

text-base

tmp

entries

Finding repository sourceProfit if it is Internet accessible

Sensitive files

Extraction of whole tree possible

.svn/entries content

dir/

0

svn://myprivatecode.com//repo/myweb

svn://myprivatecode.com//repo/myweb

user

SVN client 1.6+

No more .svn directories all aroundSingle .svn (just like git!)

Different formatIncompatible, of course ;)

Different fileswc.db SQLite database

SVN client 1.6+ extraction

Much easier

Much faster

Much robustNo more problems extracting interpreted filesLike PHP

Thank you SVN developers! ;)

Protection

Make it open source ;)

Remove SCM files if not needed

Web server configuration

Web deployment automation controls

...

Apache (main configuration file)

403 Forbidden Move along nothing to see

Order allow,deny Deny from all

404 Not found Pick somewhere elseAliasMatch \.svn /non-existant-page

Apache (.htaccess)

Using mod_rewrite RewriteEngine OnRewriteRule /\.svn /non-existant-404-page

IndexIgnore .svn

New School(distributed)
source code management systems

Git

Mercurial

Bazaar

...

Git!?

Google Dorks

Want source?

Get the repo:

mkdir git-testcd git-testwget --mirror --include-directories=/.git http://www.target.com/.git Get files

cd www.target.comgit reset --hardProfit!

http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d

Problem

Directory browsing disabled

Git: many ways...

Find archive of SCM

Bruteforce SHA1Bandwidth

Time

Partial SHA1 visibledifferent files

There must be the way...

Zombie mode on

I MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCE

DVCS-Pillage

It will rip the .git files when directory browsing disabledBy Adam Baldwin

Accessible from URL:https://github.com/evilpacket/DVCS-Pillage

Have few problemsHmm...

Problems...

Current methodsNot complete tree download methodPacked refs

git ls-files stage method

No support for branches

No support for other than http

Slooow...

HmmmWant whole tree / files

Branches

Support old protocols

Bruteforcing not feasable

Zombie mode on

I MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCE...

Back to the drawing board!

RTFM

Solution is...

RTFMgit fsckit will tell what sha1 are missing

No partial recovery

Time to code my own toolWant whole tree

Branches

Support all protocols

FAST!!

DVCS-rip

It will rip the .git files when directory browsing disabled

It will rip ALL files and checkout repository for youNot partial

git fsck trick

Support forBranches

Any protocol (http/https/...)

Accessible from URL:https://github.com/kost/dvcs-ripper

DVCS-rip

How to run?

Example run: rip-git.pl -v -u http://www.example.com/.git/

It will automatically do "git checkout -f"

Profit!

Protection

Make it open source ;)

Remove SCM files if not needed

Web server configuration

Web deployment automation controls

...

Apache (main configuration file)

403 Forbidden Move along nothing to see

Order allow,deny Deny from all

404 Not found Pick somewhere elseAliasMatch \.git /non-existant-page

Apache (.htaccess)

Using mod_rewrite RewriteEngine OnRewriteRule /\.git /non-existant-404-page

IndexIgnore .git

How about others?

Mercurial

Bazaar

Checkout DVCS-PillageIt will handle git, hg and bzr

Accessible from URL:https://github.com/evilpacket/DVCS-Pillage

No tool available to detect

Most of the web/network scanners will not find thisNo awareness

Tools looks only this.git/ => 403

They should actually look.git/logs/HEAD => 200

.git/config => 200

.git/index => 200

...

Nmap NSE comes to rescue

Have to use latest Nmap versionScript is not in 6.01

It was broken in some previous Nmap versions

It looks all relevant git files.git/logs/HEAD

.git/config

...

nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git

PORT STATE SERVICE80/tcp open http| http-git:| Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6expected files)

Evolving

Good example of open source collaboration between projects

WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas)

https://github.com/wick2o/gitDigger

Google dorks

.git intitle:index of

.svn intitle:index of

CVS intitle:index of

.hg intitle:index of

.bzr intitle:index of

(I guess you got idea already)...

Searching for standard interfaces

InterfacesRedmine

ViewCS

ViewCVS

Gitweb

...

Google DorksPowered by ViewCS

Bing as well...

Recommendations for developers

Do not store passwords and API keys on SCMConfig.php vs config.php-dist

Do not store sensitive info on SCM

Separate test and production data

Being paranoid is good feeling

Recommendations for system administrators

Proactively forbid serving all SCM files on web servers

Periodical check for standard directories of SCMs, i.e.:find /web -name .svn

find /web -name .git

wget http://www.site.com/svn/

Is there any need to have source code available at all?

Recommendations for management and auditors

Ask how source code management is done

Ask what security controls are there to protect source codeWhat controls are there to protect source code leaks?

What controls are there to protect passwords and keys leaks?

What controls are there to protect sensitive information in source code and configurations?

References

https://github.com/evilpacket/DVCS-Pillage

https://github.com/kost/DVCS-Pillage

https://github.com/kost/dvcs-ripper

https://github.com/anantshri/svn-extractor

http://blog.anantshri.info/svn-extractor-for-web-pentesters/

http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive

http://www.cirt.net/svnpristine

http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment-page-1/

http://nmap.org/nsedoc/scripts/cvs-brute-repository.html

http://nmap.org/nsedoc/scripts/cvs-brute.html

http://nmap.org/nsedoc/scripts/http-git.html

Questions? Comments? Feedbacks?

@k0st

This is zero

Acknowledgements: Adam Baldwin, Ron Bowes,Alex Weber,...