Git is an extremely popular version control system used by millions of developers worldwide. It allows for fast and seamless collaboration between teams and massively reduces the time needed to release products and updates. Git also has the added benefit of allowing teams to be spread out and work remotely. As with many tools, if not properly configured, malicious actors can abuse git to gain access to extremely sensitive data.
Misconfigured .git Folders
A Git directory will contain all the relevant information and source code for a given application. This allows an application to be nicely laid out in a directory structure that many developers will be extremely familiar with. These folders will contain the source code of an application, configuration files, documentation, and a history of changes made to the repository. This functionality makes it easy to track and approve changes to the code base and ensure nothing is overlooked.
This problem comes up when Git directories, or .git folders, are not properly configured. By default, these folders are restricted from outside access, preventing unauthorized users from viewing the contents. Unfortunately, a common problem comes from these folders being misconfigured and exposed to the open internet. This can happen in a few different ways, with the most severe being that attackers can simply list the directories online and clone the entire repository for offline analysis.
Case Study
Many times, it is not as simple as just listing the directory. If directory listing is disabled, it can be harder to effectively copy the repository, as it can not be cloned as in other cases. Blue Goat identified a website with an exposed .gitconfig file during an External Penetration Test. This file has some base-level rules for how the repository operates. Since our team could view this file, the next step was to try and list the contents of the .git directory, though this was not possible.
In cases like this, the next step is to brute force the directory. By trying common file names and looking for references in those files, it is possible to potentially build a list of files in the directory. This is not always complete, though it will typically return a large portion of the source code and often more importantly, the changelog. This can be analyzed offline and will typically reveal how the server runs, which can be used to craft more targeted attacks against the network.
Another extremely dangerous thing that can happen is if hard-coded credentials are used, these can be stripped out and abused elsewhere, as was the case here. The team at Blue Goat found multiple configuration files containing such hard-coded credentials. This can provide attackers immediate access to extremely sensitive data, as these credentials include email logins, database credentials, secret keys, and more.
Identifying a vulnerability such as this is always of immediate concern, as these being exposed to good guys means they are also exposed to bad guys. We immediately notified the client of the problem and began workshopping solutions and ways to assess any possible damage done by this vulnerability. Reacting fast to major problems can save organizations massive amounts of data loss and money.
Preventing .git Folder Leakage
As long as .git folders are properly configured with appropriate access control, they provide massive value to development teams. Version control repositories should always be kept under strict control. If not necessary, it can be a best practice not to leave them exposed on the internet at all. If they have to be public-facing, they should have all access denied to prevent unauthorized actors from being able to gain access to source code.
Careful review of public-facing infrastructure should be done regularly to prevent accidental data leakage. Especially in larger organizations, it can be easy to let small things slip through the cracks and go unnoticed. These can have disastrous consequences down the line and should be prevented in the first place as opposed to being identified when it is already too late. These vulnerabilities are, unfortunately very quickly found by attackers, so having sensitive information disclosed at any time is a major risk.
Meet Your Security Goals With Blue Goat Cyber
The team at Blue Goat has years of experience in identifying and exploiting vulnerabilities. We can leverage our expertise to work with you and find the proper solutions to secure your organization. Contact us to schedule a consultation.
