/usr/bin/X11/cdplayer,   part   of   a   standard   Irix   5.3/6.2
  installation, is suid and insecure.   It can be used by any  local
  user  for  creating  root-owned,  world-writable arbitrarily named
  directory  anywhere  on  the  system.   Some  other  weaknesses of
  standard  Irix  configuration   allow  to  convert   it  to   root
  priviledges.   And how  to make  that?   Read following text which
  describes exploit in funny way thanks to Yuri Volobuev.

  Suid program  that does  file I/O  always has  something to offer.
  First step,  reading man  page, shows  that it  stores CD catalogs
  and programs in  ~/.cddb directory.   Well, let's see  it working.
  Put audio CD in the drive, run cdplayer.  Looks nice.  Let's  make
  a short  CD description  and look  at what  we have  on the  disk.
  Indeed, ~/.cddb  is there,  but it's  empty.   Hm. ls -ld ~/.cddb.
  Owned by root?   Interesting.  But harmless.   What is the use  of
  root-owned  ~/.cddb?   But  what  did  that  man  page  say  about
  CDDB_WRITE_PATH?  Yep, RTFMing always helps, now we have .cddb  in
  /etc.   Let's  see  if  catalog  files  themselves are root-owned.
  Nope.   And  it  refuses  to  overwrite  anything.   Too bad, it's
  suid-aware and gives up root  priorities.  So it's still  useless.
  Now it is right time to use strings command.
  strings /usr/bin/X11/cdplayer

  As usually, out  friend strings tells  us many interesting  facts.
  For example,  there are  few strings  that look  like command line
  options,  particularly  -dbcdir.   Yep,  these  are valid options,
  though not documented in man page.  What -dbcdir does?   Suddenly,
  our abilities increase from creating .cddb anywhere to creating  a
  root-owned arbitrarily named  directory anywhere.   Not bad.   But
  how empty directory could be usefull?  No way.  And it's  writable
  only  by  root...  hm.   What  permissions  that  directory   has?
  drwxr-xr-x -- why so?  Wait  a moment, what is our umask?   Bull's
  eye.  umask 000; cdplayer  -dbcdir /etc/test.  drwxrwxrwx.   Cool.
  Some thinking reveals that indeed  all that we have earned  so far
  is pretty  useless --  on an  ideal OS.   But we  deal with  Irix,
  which  is  pretty  far  from  this  nice  state  and more close to
  opposite, user-friendly OS.

  Some scientists say that humans only use fraction of their  brain,
  the  rest  is  there  but  isn't  being  used.  What is true about
  humans  is  usually  true  about  things  that  humans  create, in
  particular /etc/passwd files.  Lets  take a peek.  Right  near the
  top, we see an interesting line

  sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh

  wow.  uid 0.   But it's starred out.   And home directory  doesn't
  exist.  DOESN'T EXIST?  He  he.  One call to our  friend cdplayer,
  and it does.   Now what?   .forward?  Doesn't  work, sysadm is  in
  /etc/aliases.  More thinking and suddenly it strikes  me - why I'm
  so stupid?  Why I first think  about .forward,  not about  obvious
  things?

  echo "+ +" >/usr/admin/.rhosts

  As fingers type,  something is telling  me that it's  not going to
  work.   Yep, it  doesn't, .rhosts  have to  be owned  by the  home
  directory owner,  i.e.   sysadm.   But we're  almost there.   Last
  effort --  recall it's  Irix, and  it's user-friendly.   Remember,
  some  time  ago  somebody  on  bugtraq (or was it linux-security?)
  asked what is bad  in giving away your  own file.  Well,  here's a
  live demo:

      $host> chown root.sys /usr/admin/.rhosts
      $host> rsh localhost -l sysadm
      #