RE: Pen testing a CVS server

From: Lluis Mora (llmora@sentryware.com)
Date: Tue May 20 2003 - 15:03:23 EDT

• Next message: Pete Jacob: "Cain a& Abel Question"
• Previous message: Alfred Huger: "Administrivia - Do not read"
• In reply to: Alexandre Carmel-Veilleux: "Re: Pen testing a CVS server"
• Next in thread: Royans Tharakan: "RE: Pen testing a CVS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Alexandre, Bugsy:

The following applies to (at least) cvs 1.10. Have not tried it on
newer/older releases.

You can tell wether the CVS setup is using system passwords or a separate
CVS password file. If the response is:

    "no such user xxxx in CVSROOT/passwd"

then it is using a separate cvs password file. But if the "cvs login"
response is:

    "xxxx: no such user"

then it is using system passwords, e.g. /etc/passwd (or NIS, or LDAP or ...)

So, in your case Bugsy it seems the pentested server is using system
passwords and you could try a bruteforce attack for user accounts password.
You can restrict system passwords usage by setting the option "SystemAuth"
to "no" in your CVSROOT/config file.

Cheers,

Lluis
.

-----Mensaje original-----
De: Alexandre Carmel-Veilleux [mailto:saruman@northernhacking.org]
Enviado el: domingo, 18 de mayo de 2003 21:20
Para: Bugsy
CC: pen-test@securityfocus.com
Asunto: Re: Pen testing a CVS server

On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
>
> Checking passwords
> cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
> login
> Tells me if i got the root password right or not.

        Hmm, I've never been in any environement where CVS didn't have it's
own, separate, password and group files. So this should not yield an actual
user passwords. Assuming the password is different then the system one.

        I agree that the error messages should be terser in order to leak
less information, possibly with an n seconds timeout after an error.

Alex

---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------

• Next message: Pete Jacob: "Cain a& Abel Question"
• Previous message: Alfred Huger: "Administrivia - Do not read"
• In reply to: Alexandre Carmel-Veilleux: "Re: Pen testing a CVS server"
• Next in thread: Royans Tharakan: "RE: Pen testing a CVS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT