Monday, March 23, 2015

DevOoops: Revision Control (git)


Exposed git resources is probably the most gruesome low2pwned issues out there right now.

Leaving this exposed allows an attacker to potentially download the full source of the site along with any other files that are in the git repository.

Ron's blog post on skullsecurity (see Resources) was my first exposure to the subject. I actually blogged about it back in 2012: http://carnal0wnage.attackresearch.com/2012/10/git-you-some-with-dvcs-pillage.html

There are basically two attack paths; if directory listings are on and if they are off.

I've actually talked about the fun things you can find when directory listings are on here:
http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-4-browsable.html

sidenote--> yikes that was almost 3 years ago

If directory listings are on you can simply wget the .git subdirectories, issue a git command and recreate the entire site.

$ mkdir git-test 
$ cd git-test 
$ wget --mirror --include-directories=/.git http://www. example.com/.git 

Then
$ cd www.example.com 
$ git reset --hard HEAD is now at [...] 

You now have the source of the site.

In case you were wondering how common this is:



If directory indexing is not enabled, you can still check for the presence of the .git folder and you'll have to essentially brute force what you need using git fsck.  DVCS-Pillage and DVCSRipper do this for you.

I do this by looking for files like .git/config.

Decent admins will give you 404 or 403 for .git/ but will return the contents of .git/config.

You can then run DVCS-Pillage/dvcs-ripper to pull down the files.

One thing that will sometimes happen is that you can download parts of the git repo but the tools mentioned above will fail to get the whole thing.  you can just 

git cat-file -p sha1hash

To see the contents of that particular piece.  An example from:




Even if its failing to grab everything you might catch a break if are getting "some" of the site.


Resources
https://blog.skullsecurity.org/2012/using-git-clone-to-get-pwn3d
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
https://github.com/evilpacket/DVCS-Pillage
https://github.com/kost/dvcs-ripper



Fixes (quick Google searches, didnt test)

Apache


or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /


nginx

location ~ /.git/ {
  deny all;
}

.htaccess
Put in root of the webserver

RedirectMatch 404 (?i)\.git

IIS
Couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)


CG

No comments: