Secure Coding Tip Using Git
Author: Lucas Davis is Red Team Senior Analyst at Cipher
Developers use special tools to track the versions of code and then publish the code to production. Git is a popular program for accomplishing this. According to its website, “Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.” Software similar to Git include BitBucket, SourceFourge and GutHub. Github allows for Git to be accessed in the cloud and other additional benefits.
Git has vulnerabilities if the person controlling the use and deployment is not careful with regards to security and access controls. The danger occurs when the person writing the code references the .git directory in the code. That directory is the root of the system and can give the threat actor access to sensitive information.
We can use an example to illustrate this situation with www.sistemavuln.com. If we can access www.sistemavuln.com/.git and view the contents of the directory, there is a problem. Inside this directory is the extension pack.
In many cases, the developers block the listing of the .git directory, but forget to block the reading of the files within that directory. This attempt at security does not stop an attacker with the necessary knowledge. The extension pack accessible in this area is important to look at.
Within the file pack-bda1031d16bb0336bfc8b3f9f861a41176b99cbf.pack, there is the source code of the application along with information. After accessing the source code, we can work to find sensitive information. First, let’s create a directory and download the .pack file.
mkdir / tmp / sistemavuln; cd $ _ wget http://sistemavuln.com/.git/objects/pack/pack-bda1031d16bb0336bfc8b3f9f861a41176b99cbf.pack
With the directory created, let’s make an empty Git repository and then unzip the pack file.
git init cat pack-bda1031d16bb0336bfc8b3f9f861a41176b99cbf.pack | git unpack-objects
Note that some directories below were created in .git and the objects are within them. These files have the application’s source code.
Finally, let’s read one of these files generated using the command:
printf “\ x1f \ x8b \ x08 \ x00 \ x00 \ x00 \ x00 \ x00” | cat - .git / objects / dd / ea5e29f321ebf569b15f9ef2ca3b43b97b560e | gzip -cd -q | -a strings
Here we were able to recover the source code of a file that contains credentials to access a MySQL Database. Now we can see how everything really happens under the hood and thus have a clearer view of the risks that a simple exposed directory can bring. Automated tools already exist to perform this and other techniques to explore Git repositories.
The important lesson to learn in this case is to make sure your Git information is not accessible in the production environment. Cipher can work with your company to ensure secure coding practices are in place.