Leaving this exposed allows an attacker to potentially download the full source of the site along with any other files that are in the git repository.
Ron's blog post on skullsecurity (see Resources) was my first exposure to the subject. I actually blogged about it back in 2012: http://carnal0wnage.attackresearch.com/2012/10/git-you-some-with-dvcs-pillage.html
There are basically two attack paths; if directory listings are on and if they are off.
I've actually talked about the fun things you can find when directory listings are on here:
http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-4-browsable.html
sidenote--> yikes that was almost 3 years ago
If directory listings are on you can simply wget the .git subdirectories, issue a git command and recreate the entire site.
$ mkdir git-test
$ cd git-test
$ wget --mirror --include-directories=/.git http://www. example.com/.git
Then
$ cd www.example.com
$ git reset --hard HEAD is now at [...]
You now have the source of the site.
In case you were wondering how common this is:
If directory indexing is not enabled, you can still check for the presence of the .git folder and you'll have to essentially brute force what you need using git fsck. DVCS-Pillage and DVCSRipper do this for you.
I do this by looking for files like .git/config.
Decent admins will give you 404 or 403 for .git/ but will return the contents of .git/config.
You can then run DVCS-Pillage/dvcs-ripper to pull down the files.
One thing that will sometimes happen is that you can download parts of the git repo but the tools mentioned above will fail to get the whole thing. you can just
git cat-file -p sha1hash
To see the contents of that particular piece. An example from:
Even if its failing to grab everything you might catch a break if are getting "some" of the site.
Resources
https://blog.skullsecurity.org/2012/using-git-clone-to-get-pwn3d
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
https://github.com/evilpacket/DVCS-Pillage
https://github.com/kost/dvcs-ripper
Fixes (quick Google searches, didnt test)
Apache
or
RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /
nginx
location ~ /.git/ {
deny all;
}
.htaccess
Put in root of the webserver
RedirectMatch 404 (?i)\.git
IIS
Couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis
also http://www.petefreitag.com/item/823.cfm (Great site BTW)
No comments:
Post a Comment