RE: Pen testing a CVS server

From: Royans Tharakan (RTharakan_at_ingenuity.com)
Date: 05/20/03

  • Next message: Alfred Huger: "New articles available on SecurityFocus" 
    Date: Mon, 19 May 2003 17:13:02 -0700
To: "Bugsy" <bugsy9999@yahoo.com>, <pen-test@securityfocus.com>

    If users are using pserver mechanism, CVS password is usually kept in using
    an insecure reverseble-encryption algo. This password can be retrived if
    you can get a copy of .cvspass file from any of the users.

    Usually in NFS environment, I've noticed that its easy to get to this info.
    But if you are using WinCVS you can probably retrieve it from the desktop too.

    I'd also try to enumerate userlist by other mechanims first. NIS/NISPLUS and
    ldap if used would be very easy to enumerate depending on how its setup.

    rkt

    -----Original Message-----
    From: Bugsy [mailto:bugsy9999@yahoo.com]
    Sent: Sunday, May 18, 2003 7:17 AM
    To: pen-test@securityfocus.com
    Subject: Pen testing a CVS server

    Hi,

    Im pentesting a server, which is running CVSpserver. I
    have gone through the CVS documentation and read other
    posts on securityfocus mailing lists. I am listing
    below what I have done so far, and would like to know
    if there is anything else that can be done with this.

    First, trying to login to the pserver with the
    command:

    cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
    login
    yields the information, of whether the repository is
    correct or not. Enumerating this, I have found the
    correct repository.

    Enumerating usernames:
    cvs -d :pserver:luser@host.domain.com:/wrong/cvs/root
    login
    Tells me whether luser exists on the server or not. I
    get luser: no such user if its a non-existent
    username.

    Checking passwords
    cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
    login
    Tells me if i got the root password right or not.

    Is there anything else that can be done. More
    specifically, is there some way to find out the
    version of the CVS server, without being able to
    login.

    Also, now that CVS server is that popular, shouldn't
    they build in basic security measures such as giving
    the same failure message whether the username,
    password or repository is wrong?

    -Bugsy

    __________________________________
    Do you Yahoo!?
    The New Yahoo! Search - Faster. Easier. Bingo.
    http://search.yahoo.com

    ---------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-pen-test
    ----------------------------------------------------------------------------

    ----+----
    This email message (and any attached document) contains information from Ingenuity Systems Inc. which may be considered confidential by Ingenuity, or which may be privileged or otherwise exempt from disclosure under law, and is for the sole use of the individual or entity to whom it is addressed. Any other dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, please notify me and destroy the attached message (and all attached documents) immediately.

    ---------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-pen-test
    ----------------------------------------------------------------------------

  • Next message: Alfred Huger: "New articles available on SecurityFocus"

    Relevant Pages

    • CVS question..
      ... When CVS does not shows a login id or passwd for him. ... Any views expressed in this message are those of the individual sender, ...
      (SunManagers)
    • controlling cvs from php
      ... php script utilizing the 'cvs' command. ... my testing I've been unable to do it with either command. ... an error saying "used empty password; try 'cvs login' with a real ...
      (php.general)
    • Re: CVS access via PERL
      ... > I would like to access a CVS Server which provides pserverv access. ... You run the cvs login only once for each server ... if you run cvs via rsh or ssh ...
      (comp.lang.perl.misc)
    • Re: Remote access to my machine
      ... I will use CVS as the repository, ... > connectivity/security problem. ... I want the user to login on my machine ...
      (comp.os.linux.security)
    • RE: Pen testing a CVS server
      ... The following applies to cvs 1.10. ... You can tell wether the CVS setup is using system passwords or a separate ... then it is using a separate cvs password file. ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Pen-Test)