RE: Pen testing a CVS server

From: Lluis Mora (llmora_at_sentryware.com)
Date: 05/20/03

  • Next message: Pete Jacob: "Cain a& Abel Question" 
    To: "Alexandre Carmel-Veilleux" <saruman@northernhacking.org>, "Bugsy" <bugsy9999@yahoo.com>
Date: Tue, 20 May 2003 21:03:23 +0200

    Hi Alexandre, Bugsy:

    The following applies to (at least) cvs 1.10. Have not tried it on
    newer/older releases.

    You can tell wether the CVS setup is using system passwords or a separate
    CVS password file. If the response is:

        "no such user xxxx in CVSROOT/passwd"

    then it is using a separate cvs password file. But if the "cvs login"
    response is:

        "xxxx: no such user"

    then it is using system passwords, e.g. /etc/passwd (or NIS, or LDAP or ...)

    So, in your case Bugsy it seems the pentested server is using system
    passwords and you could try a bruteforce attack for user accounts password.
    You can restrict system passwords usage by setting the option "SystemAuth"
    to "no" in your CVSROOT/config file.

    Cheers,

    Lluis
    .

    -----Mensaje original-----
    De: Alexandre Carmel-Veilleux [mailto:saruman@northernhacking.org]
    Enviado el: domingo, 18 de mayo de 2003 21:20
    Para: Bugsy
    CC: pen-test@securityfocus.com
    Asunto: Re: Pen testing a CVS server

    On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
    >
    > Checking passwords
    > cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
    > login
    > Tells me if i got the root password right or not.

            Hmm, I've never been in any environement where CVS didn't have it's
    own, separate, password and group files. So this should not yield an actual
    user passwords. Assuming the password is different then the system one.

            I agree that the error messages should be terser in order to leak
    less information, possibly with an n seconds timeout after an error.

    Alex

    ---------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-pen-test
    ----------------------------------------------------------------------------

  • Next message: Pete Jacob: "Cain a& Abel Question"

    Relevant Pages

    • RE: Pen testing a CVS server
      ... If users are using pserver mechanism, CVS password is usually kept in using ... trying to login to the pserver with the ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Pen-Test)
    • Re: Branching and merging in STS?
      ... I'm not certain though if STS provides branching, in the manner of CVS. ... After experimenting with these separate lines of development, ...
      (comp.lang.smalltalk.dolphin)
    • Re: Distributing Java Source
      ... revision number for the entire repository rather than a separate one for ... of that cvswrappers nonsense). ... How long does branching and tagging take in CVS? ... By default, CVS maintains the history of the old file name/location with the old name/location anyway, so it isn't lost. ...
      (comp.lang.java.programmer)
    • Re: CSVReader
      ... Just for the record and in case you aren't aware of it already, Microsoft ... Excel's CVS export is broken by design. ... It doesn't separate values with a ...
      (comp.lang.java.programmer)
    • Re: Branching and merging in STS?
      ... On Nov 17, 12:11 am, David Gorisek ... I'm not certain though if STS provides branching, in the manner of CVS. ... After experimenting with these separate lines of development, ...
      (comp.lang.smalltalk.dolphin)