| 1 |
Hello, |
| 2 |
|
| 3 |
On 08 Nov 2004 14:47:15 +0100 you wrote: |
| 4 |
|
| 5 |
> I will publish step-by-step instructions which explain in |
| 6 |
> great detail how to ... |
| 7 |
> |
| 8 |
> (1) set up a fake sync mirror, |
| 9 |
> |
| 10 |
> (2) set up a transparent proxy for rsyncd connections that |
| 11 |
> are routed through your machine, |
| 12 |
> |
| 13 |
> (3) configure your BIND daemon to pretend it had |
| 14 |
> authoritative information for the gentoo.org zone that |
| 15 |
> refers to your mirror rather than the real one, and |
| 16 |
> |
| 17 |
> (4) what to patch in /usr/portage/eclass/eutils.eclass to |
| 18 |
> install appropriate exploit code on the user's machine |
| 19 |
> once emerge is used for the next time. |
| 20 |
|
| 21 |
Err... I think this description alone should do it, no need to waste |
| 22 |
your time writing the n-th description of how to set up a transparent |
| 23 |
proxy, setting up BIND and so on... You could write an ebuild |
| 24 |
"hacked-up-rsync-mirror" which does this all, so that all of us |
| 25 |
can do some testing :-) |
| 26 |
|
| 27 |
But i doubt that you really manage to hack up my BIND, place a |
| 28 |
transparent proxy in my connection to the net or convince me to use your |
| 29 |
fake mirror. But go on, play... Don't complain here if you're the one |
| 30 |
being laughed at on that mentioned mailing list... |
| 31 |
|
| 32 |
HWH |
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-security@g.o mailing list |
Archives