lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <410546D4.6030103@yk.rim.or.jp>
Date: Tue, 27 Jul 2004 03:00:52 +0900
From: Chiaki <ishikawa@...rim.or.jp>
To: bugtraq@...urityfocus.com
Subject: CVS woes: .cvspass


The file revision control system, CVS,
stores often used server's password in
users .cvspass file. (When we use pserver mode to set up a
central repository and access it from remote workstations,
that is.)

The password is "lightly scramblled" for accidental disclosure
to casual reader, but descrambling it is rather easy.

Several days ago, I needed to recall the CVS password, but
I found myself not recalling it since I relied on the automatic
login by using the password in .cvspass too much.
So I used the easy descrambling from my own .cvspass file
under my home directory to recover the password.
(The same password is used to crypt
a PDF file by my fellow worker. He remebers the password. A good thing.)

However, as I recover the password from .cvspass, I found
one troubling situation.
When I tried to find how to descramble the lightly
scrambled password in .cvspass using Google
(and this was before I check the CVS source file which
I eventually did and solved my ordeal.)
I found MANY HITs of people's .cvspass files on the web.
Theyt contain lightly scramblled passwords.

Granted that many of these files under user home directories
visible on the web
must be the password to be used by anonymous server or
publicly usable CVS server, but I doubt if ALL of them
are the result of such benign neglect.

Is it likely that some .cvspass visible on the web using
Google search may contain some valuable password to
a reasonably important server? I think the chances are high. UGH.

This probably has been a common knowledge among the blackhat community.

The weak password problem has been discussed often (see the
relevant two hits from the .cvspass search in google.), but
having the file published in web and being reported in Google
is something I didn't expect to see happening.
No difficult efforts need to be spent to collect .cvspass files.

URL: Discussions about cvspass. Found in the first page of
google search for ".cvspass".

http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2003-05/0073.html

http://www.contactor.se/~dast/svn/archive-2003-01/0851.shtml


-- 
int main(void){int j=2003;/*(c)2003 cishikawa. */
char t[] ="<CI> @abcdefghijklmnopqrstuvwxyz.,\n\"";
char *i ="g>qtCIuqivb,gCwe\np@...tCIuqi\"tqkvv is>dnamz";
while(*i)((j+=strchr(t,*i++)-(int)t),(j%=sizeof t-1),
(putchar(t[j])));return 0;}/* under GPL */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ